PingOne

Configuring CloudWatch Logs for Amazon API Gateway

Use CloudWatch Logs to centralize logs from all of your applications and AWS services and see them as a single, consistent flow of events ordered by time.

Before you begin

Ensure you have:

About this task

Set up Amazon CloudWatch execution logs to troubleshoot backend API request errors. CloudWatch Logs for Amazon API Gateway offers three levels of detail:

  • Errors only: Only generates logs for requests that result in an error response

  • Errors and info: Generates logs for all requests made to the backend API

  • Request and response: Generates logs that include headers and parts of the request and response bodies

For more information, see Amazon CloudWatch Logs.

Steps

  1. In the API Gateway service console, select the API that you want to enable logging for.

  2. In the top-level left navigation menu, click Settings.

  3. In the CloudWatch log role ARN field, enter the ARN of an IAM role with permissions to publish CloudWatch Logs.

    Screen capture of an example API settings page with an example IAM role ARN entered in the CloudWatch log role ARN
  4. Click Save.

    No success message is returned upon saving.

  5. In the left navigation menu, click Stages.

  6. Click the stage that you want to enable logging for.

  7. Click the Logs/Tracing tab.

  8. In the CloudWatch Logs list, select your desired level of logging detail.

    Full request and response logs can be useful in troubleshooting APIs, but they can expose sensitive data. You should not use full request and response logs for production APIs.

  9. Optional: Enable custom logging.

    1. In the Custom Access Logging section, select the Enable Access Logging check box.

    2. In the Access Log Destination ARN field, enter the ARN of a log group.

    3. In the Log Format section, click your desired format.

      Screen capture of a custom access logging configuration in the Logs/Tracing tab of the CloudWatch Logs editor
    4. Click Save Changes.

      No success message is returned upon saving.

  10. View the log stream for your chosen API.

    1. In the CloudWatch service console, expand Logs in the left hand navigation menu, and select Log groups.

    2. Search for your log group and select it to view the log stream.