The API Gateway must generate audit records of what type of events occurred.

STIG ID: SRG-APP-000095-API-001735  |  SRG: SRG-APP-000095 |  Severity: medium |  CCI: CCI-000130 |  Vulnerability Id: V-274522

Vulnerability Discussion

By recording the details of each event, the gateway can track and log specific actions such as authentication attempts, authorization checks, request routing, rate limiting, and error handling. These records provide valuable insights into the API's behavior, helping to detect unauthorized access, security breaches, or misuse of system resources.

Check

If an API Gateway is not in use, this is Not Applicable.

Verify the API Gateway generates audit records of what type of events occurred.

1. Inspect the API Gateway's configuration settings and verify logging is enabled and audit records are being generated for key events such as authentication, authorization, data access, and errors.

2. Make a valid API request and verify successful events are logged.

3. Simulate system errors by causing the API to fail under specific conditions (e.g., database unavailability, timeout errors, internal exceptions).

4. Check the audit or access logs in the API Gateway or logging platform (e.g., AWS CloudWatch, Splunk, ELK stack). Verify the logs contain entries for the triggered events.

5. Inspect the log entries for the following:
- Event Type: The event’s description or category (e.g., authentication attempt, data access, system error).

If the API Gateway does not generate audit records for the type of event, this is a finding.

Fix

Build or configure the API Gateway to audit what type of events occurred.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.