Traceability Loss - API Gateway - cloudformation

Traceability Loss - API Gateway - cloudformation

Need

Enhancement of traceability and logging capabilities in API Gateway

Context

  • Usage of CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        Resources:
  MyRestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: my-rest-api
      Description: This is my API for demonstration purposes

  MyDeployment:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref MyRestApi
      StageName: prod

  MyStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: prod
      DeploymentId: !Ref MyDeployment
      RestApiId: !Ref MyRestApi

The following example defines an AWS API Gateway REST API using CloudFormation without enabling logging. The AWS::ApiGateway::RestApi resource creates the API, and the AWS::ApiGateway::Stage resource defines the "prod" stage. However, the AccessLogSetting property is not configured in the stage. This means that access logs will not be captured. Without logging, there is a loss of visibility into request and response data, making it more difficult to troubleshoot issues or detect abnormal behavior, which leads to traceability loss and is considered a security weakness.

Steps

  • Enable the logging feature in the API Gateway stage using AccessLogSetting
  • Define a CloudWatch Logs group to receive the logs
  • Reference the log group ARN in the stage configuration
  • Set a detailed access log format using $context variables

Compliant code

        Resources:
  MyRestApi:
    Type: AWS::ApiGateway::RestApi
    Properties:
      Name: my-rest-api
      Description: This is my API for demonstration purposes

  MyLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "${MyRestApi}-access-logs"

  MyDeployment:
    Type: AWS::ApiGateway::Deployment
    Properties:
      RestApiId: !Ref MyRestApi
      StageName: prod

  MyStage:
    Type: AWS::ApiGateway::Stage
    Properties:
      StageName: prod
      DeploymentId: !Ref MyDeployment
      RestApiId: !Ref MyRestApi
      AccessLogSetting:
        DestinationArn: !GetAtt MyLogGroup.Arn
        Format: |
          $context.identity.sourceIp - - [$context.requestTime]
          "$context.httpMethod $context.routeKey $context.protocol"
          $context.status $context.responseLength $context.requestId

This example corrects the vulnerability by enabling access logging in the API Gateway stage using the AccessLogSetting property. A AWS::Logs::LogGroup resource is created to store the logs, and the destination ARN is referenced in the stage. The log format is defined using $context variables to include relevant request and response metadata. Enabling logging ensures traceability and allows integration with monitoring tools like CloudWatch to detect anomalies and investigate issues.

References