Enhancement of traceability and logging capabilities in API Gateway
provider "aws" {
region = "us-west-2"
}
resource "aws_api_gateway_rest_api" "my_rest_api" {
name = "my_rest_api"
description = "This is my API for demonstration purposes"
}
resource "aws_api_gateway_stage" "prod" {
stage_name = "prod"
rest_api_id = aws_api_gateway_rest_api.my_rest_api.id
deployment_id = aws_api_gateway_deployment.my_deployment.id
}
The above code illustrates an AWS API Gateway setup using Terraform without enabling the logging feature.
The
aws_api_gateway_rest_api block creates an API Gateway REST API. The
aws_api_gateway_stage block creates a stage for the API, in this case, "prod" (production).
However, in this configuration, the logging feature is not enabled. This means that the API Gateway will not store any logs of its operations.
Logs are crucial for monitoring and debugging purposes. They record the activities within your application and can provide useful insights. They can also be used by other AWS services like CloudWatch to detect potential system anomalies.
Without the logging feature enabled, you might miss critical information about your application's behavior, making it harder to identify and fix issues. This lack of traceability is a system vulnerability.
provider "aws" {
region = "us-west-2"
}
resource "aws_api_gateway_rest_api" "my_rest_api" {
name = "my_rest_api"
description = "This is my API for demonstration purposes"
}
resource "aws_api_gateway_stage" "prod" {
stage_name = "prod"
rest_api_id = aws_api_gateway_rest_api.my_rest_api.id
deployment_id = aws_api_gateway_deployment.my_deployment.id
# Enable logging
access_log_settings {
destination_arn = aws_cloudwatch_log_group.example.arn
format = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId"
}
}
resource "aws_cloudwatch_log_group" "example" {
name = "${aws_api_gateway_rest_api.my_rest_api.name}-access-logs"
}
The above code fixes the vulnerability by enabling the logging feature for the API Gateway instance. This is done by adding the
access_log_settings block inside the
aws_api_gateway_stage resource.
The
access_log_settings block has two properties:
destination_arn and
format.
-
destination_arn is set to the ARN of a CloudWatch Logs group where the access logs will be stored. This is created using the
aws_cloudwatch_log_group resource. The name of the log group is set to be the name of the API Gateway instance followed by
-access-logs.
-
format is set to a string that specifies the format of the access logs. This string can include a number of different variables that provide information about the request and response. In this case, the format string includes information such as the source IP of the request, the HTTP method used, the route key, the protocol, the status code of the response, the length of the response, and the request ID.
By enabling logging and setting a destination for the log files, you can ensure that all information about requests to and responses from the API Gateway instance is preserved. This information can then be used to detect possible system anomalies.