Secure logging in API Gateway for AWS service APIs

When execution logs are activated for an API Gateway stage, API Gateway redacts authorization header values, API key values, and similar sensitive request parameters. If you turn on Full request and response logs, API Gateway logs full request and response execution logs. Do not expose customer data or sensitive information in logs. We recommend that you do not use Full request and response logs for production APIs.

You turn on Full request and response logs by setting dataTraceEnabled to True. If you want to activate the full request and response logs, consult a security engineer before doing so. Otherwise, activate access logging and annotate only non-sensitive parameters. To set up access logs, see Setting up CloudWatch logging for a REST API in API Gateway.

We recommend the following best practices for secure logging in API Gateway for AWS service APIs:

Turn off execution logging in API Gateway.
Turn on access logging in API Gateway.
If you are using AWS CloudFormation, set the dataTraceEnabled parameter to True.
Inspect your CloudWatch Logs for the API Gateway endpoint and verify that full request response objects are not logged.
If you must turn on execution logging, use INFO level logs to maintain auditing capability by capturing the required information in the logs.

This solution deploys an Amazon API Gateway REST API and uses the default API endpoint and SSL certificate. The default API endpoint only supports TLSv1. To use a later version of TLS, use your own domain name and custom SSL certificate. For more information, see Choosing a security policy for your custom domain in API Gateway in the Amazon API Gateway Developer Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Securing log files

Redact sensitive data from CloudTrail logs