This document explains how to ingest Amazon API Gateway access logs to Google Security Operations using AWS CloudWatch Logs and Kinesis Data Firehose. Amazon API Gateway provides REST and HTTP APIs to build and manage APIs at scale. Access logs help monitor API usage and troubleshoot issues. This integration streams these logs into Google SecOps for analysis and monitoring.
Before you begin
Make sure you have the following prerequisites:
Google SecOps instance
Privileged access to AWS
Enable Amazon API Gateway Access Logging (to CloudWatch Logs)
Go to AWS Console > API Gateway.
For REST APIs:
Open your Stage > Logs/Tracing > enable Access logging.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[],[],null,["Collect AWS API Gateway access logs \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest Amazon API Gateway access logs to Google Security Operations using **AWS CloudWatch Logs and Kinesis Data Firehose**. Amazon API Gateway provides REST and HTTP APIs to build and manage APIs at scale. Access logs help monitor API usage and troubleshoot issues. This integration streams these logs into Google SecOps for analysis and monitoring.\n\nBefore you begin\n\nMake sure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nEnable Amazon API Gateway Access Logging (to CloudWatch Logs)\n\n1. Go to **AWS Console \\\u003e API Gateway**.\n2. For **REST APIs**:\n\n - Open your **Stage \\\u003e Logs/Tracing \\\u003e enable Access logging**.\n - **Log format** : Select **JSON**.\n\n {\n \"requestId\":\"$context.requestId\",\n \"ip\":\"$context.identity.sourceIp\",\n \"requestTime\":\"$context.requestTime\",\n \"httpMethod\":\"$context.httpMethod\",\n \"routeKey\":\"$context.routeKey\",\n \"status\":\"$context.status\",\n \"protocol\":\"$context.protocol\",\n \"responseLength\":\"$context.responseLength\",\n \"integrationLatency\":\"$context.integrationLatency\",\n \"error\":\"$context.error.message\"\n }\n\n - **CloudWatch Logs log group** : Choose or create a log group (for example, `/aws/apigateway/access`).\n\n3. For **HTTP APIs**:\n\n - Select your **API \\\u003e Monitor \\\u003e Logging**.\n - Select **Stage \\\u003e Edit**.\n - Enable **Access logging**.\n - Use the same JSON log format as above.\n - **CloudWatch Logs log group** : Choose or create a log group (for example, `/aws/apigateway/access`).\n4. Click **Save**.\n\nConfigure a Feed in Google SecOps to Ingest Amazon API Gateway logs\n\n1. Go to **SIEM Settings \\\u003e Feeds**.\n2. Click **+ Add New Feed**.\n3. In the **Feed name** field, enter `Amazon API Gateway - CloudWatch via Firehose`.\n4. Select **Amazon Data Firehose** as the **Source type**.\n5. Select **Amazon API Gateway** as the **Log type**.\n6. Click **Next**.\n7. Specify values for the following input parameters:\n - **Split delimiter** : Optional `n`\n - **Asset namespace** : `aws.api_gateway`\n - **Ingestion labels** : For example, `source=apigw_access`, `aws_region=\u003cyour-region\u003e`\n8. Click **Next**.\n9. Review the feed configuration and click **Submit**.\n10. In the feed **Details** , click **Generate Secret Key** and copy the **Secret Key**.\n11. Copy the **Feed HTTPS endpoint URL** from **Endpoint Information**.\n12. Create a **Google Cloud API key** in **APIs \\& Services \\\u003e Credentials \\\u003e Create credentials \\\u003e API key** , and restrict it to **Google SecOps API**.\n13. Copy and save the API key in a secure location.\n\nConfigure Amazon Kinesis Data Firehose (Direct to Google SecOps)\n\n1. In the **AWS Console** , go to **Kinesis \\\u003e Data Firehose \\\u003e Create delivery stream**.\n2. Provide the following configuration details:\n - **Source** : Select **Direct PUT or other sources**.\n - **Destination** : Choose **HTTP endpoint**.\n - **HTTP endpoint URL** : Enter `ENDPOINT_URL?key=API_KEY` (use the Feed HTTPS endpoint URL and the API key from the previous step).\n - **HTTP method** : Select **POST**.\n - **Access key**: Paste the Secret Key generated in the feed.\n - **Buffering hints** : Set **Buffer size** = **1 MiB** , **Buffer interval** = **60 seconds**.\n - **Compression** : Select **Disabled**.\n - **S3 backup** : Select **Disabled**.\n - Leave **retry** and **logging** settings as default.\n3. Click **Create delivery stream** . (For example, `cwlogs-to-secops`.)\n\nConfigure IAM Permissions and Subscribe the Log Group\n\n1. In the **AWS Console** , go to **IAM \\\u003e Policies \\\u003e Create policy \\\u003e JSON**.\n2.\n 1. In the JSON editor, enter the following policy:\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"firehose:PutRecord\",\n \"firehose:PutRecordBatch\"\n ],\n \"Resource\": \"arn:aws:firehose:\u003cregion\u003e:\u003caccount-id\u003e:deliverystream/cwlogs-to-secops\"\n }\n ]\n }\n\n - Replace `\u003cregion\u003e` and `\u003caccount-id\u003e` with your AWS Region and account ID.\n3. Name the policy `CWLtoFirehoseWrite` and click **Create policy**.\n\n4. Go to **IAM \\\u003e Roles \\\u003e Create role**.\n\n5. Select **Custom trust policy** and enter the following:\n\n {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Service\": \"logs.\u003cyour-region\u003e.amazonaws.com\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n }\n\n6. Attach the policy `CWLtoFirehoseWrite` to the role.\n\n7. Name the role `CWLtoFirehoseRole` and click **Create role**.\n\n8. Go to **CloudWatch \\\u003e Logs \\\u003e Log groups**.\n\n9. Select the **API Gateway** log group you created earlier.\n\n10. Open the **Subscription filters** tab and click **Create**.\n\n11. Choose **Create Amazon Kinesis Data Firehose subscription filter**.\n\n12. Configure the following:\n\n - **Destination** : Delivery stream `cwlogs-to-secops`.\n - **Grant permission** : Role `CWLtoFirehoseRole`.\n - **Filter name** : Enter `all-events`.\n - **Filter pattern**: Leave empty to send all events.\n13. Click **Start streaming**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
