---
title: Serverless API access logging setting undefined
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Serverless API access logging setting
  undefined
---

# Serverless API access logging setting undefined

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `cloudformation-aws-serverless-api-access-logging-setting-undefined` 

**Provider:** AWS

**Platform:** CloudFormation

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html)

### Description{% #description %}

Serverless APIs should have access logging enabled to create an audit trail and support incident investigation and detection of anomalous or abusive traffic. For `AWS::Serverless::Api` resources, the `Properties.AccessLogSetting` property must be defined and not `null`. For `AWS::Serverless::HttpApi` resources, the `Properties.AccessLogSettings` property must be defined and not `null`. These properties configure the log destination and format, so missing or `null` values will be flagged. Ensure the access log configuration includes a log destination (for example, `DestinationArn`) and a `Format` describing the fields to record.

Secure configuration examples:

```yaml
MyServerlessApi:
  Type: AWS::Serverless::Api
  Properties:
    StageName: prod
    AccessLogSetting:
      DestinationArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/apigateway/my-api-logs
      Format: '$context.identity.sourceIp - $context.requestId - $context.httpMethod $context.path'
```

```yaml
MyHttpApi:
  Type: AWS::Serverless::HttpApi
  Properties:
    AccessLogSettings:
      DestinationArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/apigateway/my-httpapi-logs
      Format: '{"requestId":"$context.requestId","ip":"$context.identity.sourceIp","method":"$context.httpMethod","path":"$context.path"}'
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi2:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
      AccessLogSetting:
        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
        Format: >-
          {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
          "caller":"$context.identity.caller",
          "user":"$context.identity.user","requestTime":"$context.requestTime",
          "eventType":"$context.eventType","routeKey":"$context.routeKey",
          "status":"$context.status","connectionId":"$context.connectionId"}
```

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  HttpApi2:
      Type: AWS::Serverless::HttpApi
      Properties:
        StageName: !Ref StageName
        Tags:
          Tag: Value
        AccessLogSettings:
          DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
          Format: >-
            {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp",
            "caller":"$context.identity.caller",
            "user":"$context.identity.user","requestTime":"$context.requestTime",
            "eventType":"$context.eventType","routeKey":"$context.routeKey",
            "status":"$context.status","connectionId":"$context.connectionId"}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  ApiGatewayApi:
    Type: AWS::Serverless::Api
    Properties:
      StageName: prod
      TracingEnabled: true
      CacheClusterEnabled: true
```

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS SAM template with a simple API definition
Resources:
  HttpApi:
      Type: AWS::Serverless::HttpApi
      Properties:
        StageName: !Ref StageName
        Tags:
          Tag: Value
```