For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-serverless-api-access-logging-setting-undefined.md. A documentation index is available at /llms.txt.

Serverless API access logging setting undefined

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-serverless-api-access-logging-setting-undefined

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Observability

Learn More

Description

Serverless APIs should have access logging enabled to create an audit trail and support incident investigation and detection of anomalous or abusive traffic. For AWS::Serverless::Api resources, the Properties.AccessLogSetting property must be defined and not null. For AWS::Serverless::HttpApi resources, the Properties.AccessLogSettings property must be defined and not null. These properties configure the log destination and format, so missing or null values will be flagged. Ensure the access log configuration includes a log destination (for example, DestinationArn) and a Format describing the fields to record.

Secure configuration examples:

MyServerlessApi:
  Type: AWS::Serverless::Api
  Properties:
    StageName: prod
    AccessLogSetting:
      DestinationArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/apigateway/my-api-logs
      Format: '$context.identity.sourceIp - $context.requestId - $context.httpMethod $context.path'

MyHttpApi:
  Type: AWS::Serverless::HttpApi
  Properties:
    AccessLogSettings:
      DestinationArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/apigateway/my-httpapi-logs
      Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","method":"$context.httpMethod","path":"$context.path"}'

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi2:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      AccessLogSetting:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
        Format: >-
          {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  HttpApi2:
      Type: AWS::Serverless::HttpApi
      Properties:
        StageName: !Ref StageName
        Tags:
          Tag: Value
        AccessLogSettings:
          DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
          Format: >-
            {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
            "caller":"$context.identity.caller",
            "user":"$context.identity.user","requestTime":"$context.requestTime",
            "eventType":"$context.eventType","routeKey":"$context.routeKey",
            "status":"$context.status","connectionId":"$context.connectionId"}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  HttpApi:
      Type: AWS::Serverless::HttpApi
      Properties:
        StageName: !Ref StageName
        Tags:
          Tag: Value