Findings

API Gateway access logging is not configured for FireTail

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Low

FireTail log capture is not configured for the API Gateway

Without FireTail access logging enabled, API request and response data is not being sent to FireTail for monitoring, analysis, or alerting. This lack of integration prevents visibility into API traffic, which may affect your ability to:

  • Detect and Respond to Security Threats: Without access logs in FireTail, malicious activity, unauthorized access attempts, or abnormal patterns in API usage may go unnoticed.
  • Monitor API Performance: Key performance metrics such as response times, error rates, and request patterns are not logged into FireTail, making it difficult to analyze and optimize API performance.
  • Troubleshoot Issues: Without logs in FireTail, diagnosing API failures or performance degradation becomes challenging, delaying incident response times.

Remediation

Follow the instructions for setting up shipping logs from API Gateway to the FireTail platform.

Security Frameworks

NIST 800-53.r5

NIST-AC-4(26): Information Flow Enforcement | Audit Filtering Actions

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

NIST-AU-2: Event Logging

  1. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
  2. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
  3. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
  4. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
  5. Review and update the event types selected for logging [Assignment: organization-defined frequency].

NIST-AU-3: Content of Audit Records

Ensure that audit records contain information that establishes the following:

  1. What type of event occurred;
  2. When the event occurred;
  3. Where the event occurred;
  4. Source of the event;
  5. Outcome of the event; and
  6. Identity of any individuals, subjects, or objects/entities associated with the event.

NIST-AU-6(3): Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

NIST-AU-6(4): Audit Record Review, Analysis, and Reporting | Central Review and Analysis

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

NIST-AU-10: Non-repudiation

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].

NIST-AU-12: Audit Record Generation

  1. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
  2. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
  3. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

NIST-CA-7: Continuous Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

  1. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
  2. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
  3. Ongoing control assessments in accordance with the continuous monitoring strategy;
  4. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
  5. Correlation and analysis of information generated by control assessments and monitoring;
  6. Response actions to address results of the analysis of control assessment and monitoring information; and
  7. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

NIST-SC-7(9): Boundary Protection | Restrict Threatening Outgoing Communications Traffic

(a) Detect and deny outgoing communications traffic posing a threat to external systems; and
(b) Audit the identity of internal users associated with denied communications.

NIST-SI-7(8): Software, Firmware, and Information Integrity | Auditing Capability for Significant Events

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [Selection (one or more): generate an audit record; alert current user; alert [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
Access logging should be configured for API Gateway V2 Stages
Next (Findings - Cloud based findings)
API Gateway REST and WebSocket API execution logging should be enabled