# Logging and monitoring in Amazon API Gateway Logging and monitoring Monitoring is an important part of maintaining the reliability, availability, and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for monitoring your API Gateway resources and responding to potential incidents: **Amazon CloudWatch Logs** To help debug issues related to request execution or client access to your API, you can enable CloudWatch Logs to log API calls. For more information, see [Set up CloudWatch logging for REST APIs in API Gateway](set-up-logging.md). **Amazon CloudWatch Alarms** Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon Simple Notification Service topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather the state must have changed and been maintained for a specified number of periods. For more information, see [Monitor REST API execution with Amazon CloudWatch metrics](monitoring-cloudwatch.md). **Access Logging to Firehose** To help debug issues related to client access to your API, you can enable Firehose to log API calls. For more information, see [Log REST API calls to Amazon Data Firehose in API Gateway](apigateway-logging-to-kinesis.md). **AWS CloudTrail** CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Logging Amazon API Gateway API calls using AWS CloudTrail](cloudtrail.md). **AWS X-Ray** X-Ray is an AWS service that gathers data about the requests that your application serves, and uses it to construct a service map that you can use to identify issues with your application and opportunities for optimization. For more information, see [Set up AWS X-Ray with API Gateway REST APIs](apigateway-enabling-xray.md). **AWS Config** AWS Config provides a detailed view of the configuration of AWS resources in your account. You can see how resources are related, get a history of configuration changes, and see how relationships and configurations change over time. You can use AWS Config to define rules that evaluate resource configurations for data compliance. AWS Config rules represent the ideal configuration settings for your API Gateway resources. If a resource violates a rule and is flagged as noncompliant, AWS Config can alert you using an Amazon Simple Notification Service (Amazon SNS) topic. For details, see [Monitoring API Gateway API configuration with AWS Config](apigateway-config.md). # Logging Amazon API Gateway API calls using AWS CloudTrail Working with CloudTrail Amazon API Gateway is integrated with [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html), a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures all REST API calls for API Gateway service as events. The calls captured include calls from the API Gateway console and code calls to the API Gateway service APIs. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, when it was made, and additional details. **Note** [TestInvokeAuthorizer](https://docs.aws.amazon.com/cli/latest/reference/apigateway/test-invoke-authorizer.html) and [TestInvokeMethod](https://docs.aws.amazon.com/cli/latest/reference/apigateway/test-invoke-method.html) are not logged in CloudTrail. Every event or log entry contains information about who generated the request. The identity information helps you determine the following: + Whether the request was made with root user or user credentials. + Whether the request was made on behalf of an IAM Identity Center user. + Whether the request was made with temporary security credentials for a role or federated user. + Whether the request was made by another AWS service. CloudTrail is active in your AWS account when you create the account and you automatically have access to the CloudTrail **Event history**. The CloudTrail **Event history** provides a viewable, searchable, downloadable, and immutable record of the past 90 days of recorded management events in an AWS Region. For more information, see [Working with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide*. There are no CloudTrail charges for viewing the **Event history**. For an ongoing record of events in your AWS account past 90 days, create a trail or a [CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) event data store. **CloudTrail trails** A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. All trails created using the AWS Management Console are multi-Region. You can create a single-Region or a multi-Region trail by using the AWS CLI. Creating a multi-Region trail is recommended because you capture activity in all AWS Regions in your account. If you create a single-Region trail, you can view only the events logged in the trail's AWS Region. For more information about trails, see [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) and [Creating a trail for an organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) in the *AWS CloudTrail User Guide*. You can deliver one copy of your ongoing management events to your Amazon S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). For information about Amazon S3 pricing, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/). **CloudTrail Lake event data stores** *CloudTrail Lake* lets you run SQL-based queries on your events. CloudTrail Lake converts existing events in row-based JSON format to [ Apache ORC](https://orc.apache.org/) format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into *event data stores*, which are immutable collections of events based on criteria that you select by applying [advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-concepts.html#adv-event-selectors). The selectors that you apply to an event data store control which events persist and are available for you to query. For more information about CloudTrail Lake, see [Working with AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) in the *AWS CloudTrail User Guide*. CloudTrail Lake event data stores and queries incur costs. When you create an event data store, you choose the [pricing option](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html#cloudtrail-lake-manage-costs-pricing-option) you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). ## API Gateway management events in CloudTrail [Management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. By default, CloudTrail logs management events. Amazon API Gateway logs all API Gateway actions as management events, except for [TestInvokeAuthorizer](https://docs.aws.amazon.com/cli/latest/reference/apigateway/test-invoke-authorizer.html) and [TestInvokeMethod](https://docs.aws.amazon.com/cli/latest/reference/apigateway/test-invoke-method.html). For a list of the Amazon API Gateway actions that API Gateway logs to CloudTrail, see the [Amazon API Gateway API Reference](https://docs.aws.amazon.com/apigateway/latest/api/API_Operations.html). ## API Gateway event example An event represents a single request from any source and includes information about the requested API operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order. The following example shows a CloudTrail event that demonstrates the API Gateway `GetResource` action: ``` { Records: [ { eventVersion: "1.03", userIdentity: { type: "Root", principalId: "AKIAI44QH8DHBEXAMPLE", arn: "arn:aws:iam::123456789012:root", accountId: "123456789012", accessKeyId: "AKIAIOSFODNN7EXAMPLE", sessionContext: { attributes: { mfaAuthenticated: "false", creationDate: "2015-06-16T23:37:58Z" } } }, eventTime: "2015-06-17T00:47:28Z", eventSource: "apigateway.amazonaws.com", eventName: "GetResource", awsRegion: "us-east-1", sourceIPAddress: "203.0.113.11", userAgent: "example-user-agent-string", requestParameters: { restApiId: "3rbEXAMPLE", resourceId: "5tfEXAMPLE", template: false }, responseElements: null, requestID: "6d9c4bfc-148a-11e5-81b6-7577cEXAMPLE", eventID: "4d293154-a15b-4c33-9e0a-ff5eeEXAMPLE", readOnly: true, eventType: "AwsApiCall", recipientAccountId: "123456789012" }, ... additional entries ... ] } ``` For information about CloudTrail record contents, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) in the *AWS CloudTrail User Guide*. # Monitoring API Gateway API configuration with AWS Config Working with AWS Config You can use [AWS Config](https://aws.amazon.com/config/) to record configuration changes made to your API Gateway API resources and send notifications based on resource changes. Maintaining a configuration change history for API Gateway resources is useful for operational troubleshooting, audit, and compliance use cases. AWS Config can track changes to: + **API stage configuration**, such as: + cache cluster settings + throttle settings + access log settings + the active deployment set on the stage + **API configuration**, such as: + endpoint configuration + version + protocol + tags In addition, the AWS Config Rules feature enables you to define configuration rules and automatically detect, track, and alert violations to these rules. By tracking changes to these resource configuration properties, you can also author change-triggered AWS Config rules for your API Gateway resources, and test your resource configurations against best practices. You can enable AWS Config in your account by using the AWS Config console or the AWS CLI. Select the resource types for which you want to track changes. If you previously configured AWS Config to record all resource types, then these API Gateway resources will be automatically recorded in your account. Support for Amazon API Gateway in AWS Config is available in all AWS public regions and AWS GovCloud (US). For the full list of supported Regions, see [Amazon API Gateway Endpoints and Quotas](https://docs.aws.amazon.com/general/latest/gr/apigateway.html) in the AWS General Reference. **Topics** + [ ## Supported resource types ](#apigateway-config-resources-rules) + [ ## Setting up AWS Config ](#apigateway-config-setup) + [ ## Configuring AWS Config to record API Gateway resources ](#apigateway-config-configuring) + [ ## Viewing API Gateway configuration details in the AWS Config console ](#apigateway-config-console) + [ ## Evaluating API Gateway resources using AWS Config rules ](#apigateway-config-rules) ## Supported resource types The following API Gateway resource types are integrated with AWS Config and are documented in [AWS Config Supported AWS Resource Types and Resource Relationships](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html): + `AWS::ApiGatewayV2::Api` (WebSocket and HTTP API) + `AWS::ApiGateway::RestApi` (REST API) + `AWS::ApiGatewayV2::Stage` (WebSocket and HTTP API stage) + `AWS::ApiGateway::Stage` (REST API stage) For more information about AWS Config, see the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/). For pricing information, see the [AWS Config pricing information page](https://aws.amazon.com/config/pricing/). **Important** If you change any of the following API properties after the API is deployed, you *must* [redeploy](how-to-deploy-api.md) the API to propagate the changes. Otherwise, you'll see the attribute changes in the AWS Config console, but the previous property settings will still be in effect; the API's runtime behavior will be unchanged. **`AWS::ApiGateway::RestApi`** – `binaryMediaTypes`, `minimumCompressionSize`, `apiKeySource` **`AWS::ApiGatewayV2::Api`** – `apiKeySelectionExpression` ## Setting up AWS Config To initially set up AWS Config, see the following topics in the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/). + [Setting Up AWS Config with the Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) + [Setting Up AWS Config with the AWS CLI](https://docs.aws.amazon.com/config/latest/developerguide/gs-cli.html) ## Configuring AWS Config to record API Gateway resources By default, AWS Config records configuration changes for all supported types of regional resources that it discovers in the region in which your environment is running. You can customize AWS Config to record changes only for specific resource types, or changes to global resources. To learn about regional vs. global resources and learn how to customize your AWS Config configuration, see [Selecting which Resources AWS Config Records](https://docs.aws.amazon.com/config/latest/developerguide/select-resources.html). ## Viewing API Gateway configuration details in the AWS Config console You can use the AWS Config console to look for API Gateway resources and get current and historical details about their configurations. The following procedure shows how to find information about an API Gateway API. **To find an API Gateway resource in the AWS config console** 1. Open the [AWS Config console](https://console.aws.amazon.com/config). 1. Choose **Resources**. 1. On the **Resource** inventory page, choose **Resources**. 1. Open the **Resource type** menu, scroll to APIGateway or APIGatewayV2, and then choose one or more of the API Gateway resource types. 1. Choose **Look up**. 1. Choose a resource ID in the list of resources that AWS Config displays. AWS Config displays configuration details and other information about the resource you selected. 1. To see the full details of the recorded configuration, choose **View Details**. To learn more ways to find a resource and view information on this page, see [Viewing AWS Resource Configurations and History](https://docs.aws.amazon.com/config/latest/developerguide/view-manage-resource.html) in the AWS Config Developer Guide. ## Evaluating API Gateway resources using AWS Config rules You can create AWS Config rules, which represent the ideal configuration settings for your API Gateway resources. You can use predefined [AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html), or define custom rules. AWS Config continuously tracks changes to the configuration of your resources to determine whether those changes violate any of the conditions in your rules. The AWS Config console shows the compliance status of your rules and resources. If a resource violates a rule and is flagged as noncompliant, AWS Config can alert you using an [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/) (Amazon SNS) topic. To programmatically consume the data in these AWS Config alerts, use an Amazon Simple Queue Service (Amazon SQS) queue as the notification endpoint for the Amazon SNS topic. To learn more about setting up and using rules, see [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/).