How can I troubleshoot missing CloudWatch logs for API Gateway REST APIs?

Last updated: 2022-08-30

I have activated Amazon CloudWatch logging for Amazon API Gateway, but I couldn't find any logs. How do I get the CloudWatch logs for troubleshooting API Gateway REST APIs?

Short description

You can use CloudWatch logging can be used to help debug issues related to request execution or client access to your API. CloudWatch logging includes execution logging and access logging.

For execution logging, API Gateway manages the CloudWatch logs including creating log groups and log streams. For access logging, you can create your own log groups or choose existing log groups.

Not all client-side errors rejected by API Gateway are logged into execution logs. For example, a client making an API request to an incorrect resource path of your REST API returns a 403 "Missing Authentication Token" response. This type of response isn't logged into execution logs. Use CloudWatch access logging to troubleshoot client-side errors.

For more information, see CloudWatch log formats for API Gateway.

API Gateway might not generate logs for:

  • 413 Request Entity Too Large errors.
  • Excessive 429 Too Many Requests errors.
  • 400 series errors from requests sent to a custom domain that has no API mapping.
  • 500 series errors caused by internal failures.

For more information, see Monitoring REST APIs.

Resolution

Verify API Gateway permissions for CloudWatch logging

To activate CloudWatch Logs, you must grant API Gateway permission to read and write logs to CloudWatch for your account. The AmazonAPIGatewayPushToCloudWatchLogs managed policy has the required permissions.

Create an AWS Identity and Access Management (IAM) role with apigateway.amazonaws.com as its trusted entity. Then, attach the following policy to the IAM role, and set the IAM role ARN on the cloudWatchRoleArn property for your AWS Account:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

Make sure that:

  • AWS Security Token Service (AWS STS) is activated for your AWS Region. For more information, see Managing AWS STS in an AWS Region.
  • The IAM role is activated for all AWS Regions where you want to activate CloudWatch logs.

For more information, see Permissions for CloudWatch logging.

Verify API Gateway logging settings

Verify that the CloudWatch execution or access logging settings are activated for API Gateway.

Note: You can activate execution logging and access logging independent of each other.

1.    Open the API Gateway console.

2.    In the navigation pane, choose APIs.

3.    Choose your API, and then choose Stages.

4.    In Stages, choose your stage, and then choose the Logs/Tracing tab.

5.    In CloudWatch Settings, verify the following:
       Enable CloudWatch Logs is selected.
       Log level is set to INFO.
Note:
If Log level is set to ERROR, only requests for errors in API Gateway are logged. Successful API requests aren't logged.
       Log full requests/responses data and Enable Detailed CloudWatch Metrics are selected for additional log data.
Note:
It's a best practice not to enable Log full requests/responses data for production APIs which can result in logging sensitive data.

6.    In Custom Access Logging, verify that Enable Access Logging is selected.

Verify logging method and override if necessary

By default, all API resources use the same configurations as their stage. This setting can be overridden to have different configurations for each method if you don't want to inherit from the stage.

1.    Open the API Gateway console.

2.    In the navigation pane, choose APIs.

3.    Choose your API, and then choose Stages.

4.    In Stages, expand your stage name, and then choose your HTTP method. For example, GET.

5.    In Settings, choose Override for this method.

6.    In CloudWatch settings, make any additional log changes for your use case if needed, and then choose Save Changes.

For more information, see Setting up CloudWatch logging for a REST API in API Gateway.