Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · APIGateway

APIGateway.1: REST/WebSocket API execution logging

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub APIGateway.1 check?

APIGateway.1 fails when a REST (v1) or WebSocket (v2) API stage has CloudWatch execution logging turned off. The control wants logging set to at least ERROR, ideally INFO.

Why does APIGateway.1 matter?

Execution logs are the record of what happened inside the gateway — which requests reached the backend, which were rejected, and why. With logging off, an incident or an intermittent failure becomes a guessing game you can only solve by reproducing it live. A team once burned eleven hours chasing 502s on an API whose logging had shipped OFF eighteen months earlier.

How do I fix APIGateway.1?

  1. Create the account-level IAM role API Gateway uses to write to CloudWatch Logs, if it isn't already set.
  2. Find non-compliant stages and set the log level to ERROR or INFO via update-stage.
  3. Add log-group retention and consider INFO only where the extra volume is worth the cost.

Remediation script · bash

# Verify the prerequisite first: API Gateway's account-level CloudWatch role.
# Without it, the logging setting saves but no logs ever flow.
aws apigateway get-account --query 'cloudwatchRoleArn' --output text

# Enable ERROR-level execution logging on every stage of a REST API.
REST_API=a1b2c3d4e5
for STAGE in $(aws apigateway get-stages --rest-api-id $REST_API \
  --query 'item[].stageName' --output text); do
  aws apigateway update-stage --rest-api-id $REST_API --stage-name $STAGE \
    --patch-operations op=replace,path=/*/*/logging/loglevel,value=ERROR
done

# Cap retention on the log group so storage stays bounded (do this every time you enable logging).
aws logs put-retention-policy \
  --log-group-name "API-Gateway-Execution-Logs_${REST_API}/prod" \
  --retention-in-days 90

# Example for a managed database: publish engine logs to CloudWatch (no per-event charge).
aws rds modify-db-instance --db-instance-identifier prod-db \
  --cloudwatch-logs-export-configuration 'EnableLogTypes=["error","audit"]' --apply-immediately

Full walkthrough (console steps, edge cases and verification) in the lesson Enable application and API logging.

Full lesson Enable application and API logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for APIGateway controls ↗ Check your own account for APIGateway.1 →
Part of the learning path See what's happening

More APIGateway controls

  • APIGateway.2 REST stages should use SSL certs for backend auth
  • APIGateway.4 API Gateway should be associated with a WAF web ACL
  • APIGateway.5 REST API cache data should be encrypted at rest
  • APIGateway.8 Routes should specify an authorization type
  • APIGateway.9 V2 stages should have access logging
  • APIGateway.10 V2 integrations should use HTTPS for private connections
  • APIGateway.11 Domain names should use recommended security policies