For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-api-gateway-access-logging-disabled.md. A documentation index is available at /llms.txt.

API Gateway access logging disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-api-gateway-access-logging-disabled

Provider: AWS

Platform: Terraform

Severity: Medium

Category: Observability

Learn More

Description

When configuring an AWS API Gateway stage in Terraform, it is important to define the access_log_settings block to ensure that access logs are collected and sent to a centralized logging destination, such as an Amazon CloudWatch Logs group. Without specifying the access_log_settings, as shown in the configuration below, API requests and responses will not be logged, making it difficult to detect anomalous activity, debug issues, or perform security investigations:

resource "aws_api_gateway_stage" "example" {
  stage_name  = "dev"
  rest_api_id = "id"
  // Missing access_log_settings
}

The absence of access logging creates a blind spot in monitoring and incident response, potentially allowing malicious activities and API misuse to go unnoticed. To address this, always include the access_log_settings block in your API Gateway stage resource, specifying a valid destination_arn:

resource "aws_api_gateway_stage" "example" {
  stage_name  = "dev"
  rest_api_id = "id"

  access_log_settings {
    destination_arn = "arn:aws:logs:region:account-id:log-group:your-log-group"
  }
}

Enabling access logging helps meet compliance requirements and establishes a robust audit trail for all API interactions.

Compliant Code Examples

resource "aws_api_gateway_stage" "negative1" {
  stage_name    = "dev"
  rest_api_id   = "id"

  access_log_settings {
    destination_arn = "dest"
  }
}

resource "aws_api_gateway_method_settings" "all" {
  stage_name  = aws_api_gateway_stage.negative1.stage_name
  method_path = "*/*"

  settings {
    metrics_enabled = true
    logging_level   = "ERROR"
  }
}

resource "aws_apigatewayv2_stage" "negative2" {
  stage_name    = "dev"
  rest_api_id   = "id"

  access_log_settings {
    destination_arn = "dest"
  }

  default_route_settings {
    logging_level   = "ERROR"
  }
}

Non-Compliant Code Examples

resource "aws_api_gateway_stage" "postive1" {
  stage_name    = "dev"
  rest_api_id   = "id"
}

resource "aws_api_gateway_method_settings" "all" {
  stage_name  = aws_api_gateway_stage.postive1.stage_name
  method_path = "*/*"

  settings {
    logging_level   = "ERROR"
  }
}

resource "aws_apigatewayv2_stage" "postive2" {
  stage_name    = "dev"
  rest_api_id   = "id"

  default_route_settings {
    logging_level   = "ERROR"
  }
}

resource "aws_api_gateway_stage" "postive1" {
  stage_name    = "dev"
  rest_api_id   = "id"

  access_log_settings {
    destination_arn = "dest"
  }
}

resource "aws_api_gateway_method_settings" "all" {
  stage_name  = aws_api_gateway_stage.postive1.stage_name
  method_path = "*/*"

  settings {
    logging_level   = ""
  }
}

resource "aws_apigatewayv2_stage" "postive2" {
  stage_name    = "dev"
  rest_api_id   = "id"

  access_log_settings {
    destination_arn = "dest"
  }

  default_route_settings {
    logging_level   = ""
  }
}

resource "aws_api_gateway_stage" "postive1" {
  stage_name    = "dev"
  rest_api_id   = "id"

  access_log_settings {
    destination_arn = "dest"
  }
}

resource "aws_api_gateway_method_settings" "all" {
  stage_name  = aws_api_gateway_stage.postive1.stage_name
  method_path = "*/*"

  settings {
    metrics_enabled = true
  }
}

resource "aws_apigatewayv2_stage" "postive2" {
  stage_name    = "dev"
  rest_api_id   = "id"

  access_log_settings {
    destination_arn = "dest"
  }

  default_route_settings {
    data_trace_enabled = "true"
  }
}