How to Enable CloudWatch Logs for API Gateway

How to set up an alarm that particularly monitors throttling (429 — Too many requests) of an AWS API Gateway API?

You can monitor API Gateway API by using CloudWatch. CloudWatch collects and processes data from API Gateway into readable, near-real-time metrics. These statistics are recorded for a period of 15 months so you can access historical information and gain a better perspective on how your web application or service is performing. By default, API Gateway metric data is automatically sent to CloudWatch in one-minute periods.

Architecture of “Enabling CloudWatch Logs for API Gateway”

Note: For status 429, you should enable throttling in API Gateway console like this:

Now we will explain how you can turn on CloudWatch logs for API Gateway REST APIs and we will set up an alarm for throttling with CloudWatch metrics.

1. Create Role

Go to IAM console and choose role section. Select Create Role and select API Gateway as AWS Service.

By default, you will see AmazonAPIGatewayPushToCloudWatchLogs policy.

Role with AmazonAPIGatewayPushToCloudWatchLogs Policy

Next, enter your role name and create your role.

Copy your role ARN and continue with next step.

2. Provide an IAM Role for Your API Gateway Service

Go to API Gateway console and choose API settings.

Paste your role ARN you copied step-1.

3. Enable CloudWatch Logs

Go to stages section and choose your stage you want to enable logs.

Choose Logs/Tracing tab and select boxes like picture right below.

When you deploy an API, API Gateway creates a log group and log streams under the log group. The log group is named following the API-Gateway-Execution-Logs_{rest-api-id}/{stage_name} format.

In access logging, you, as an API developer, want to log who has accessed your API and how the caller accessed the API. You can create your own log group or choose an existing log group that could be managed by API Gateway. To specify the access details, you select $context variables (expressed in a format of your choosing) and choose a log group as the destination.

4. Create Metric and Set Up Alarm

• Go to CloudWatch console and choose your log group.
• Choose Metric filters tab and create metric.
• Enter your pattern what you want, but in here we will set alarm for status 429.
• So we will enter Filter pattern like this:

{ $.status = “429” }

• Then enter other informations such as name and etc. Metric value is will be 1 for our case.

Metric Value: The numerical value to publish to the metric each time a matching log is found. For example, if you’re counting the occurrences of a particular term like “Error”, the value will be “1” for each occurrence. If you’re counting the bytes transferred, you can increment by the actual number of bytes found in the log event.

• Go to Alarms section and create alarm.
• Choose metric you created and enter other informations like picture right below to get notify when this error occurred every time.

• The next step, you can choose your SNS topic or you can create new one. This is how you get notification for alarm. Email, SMS, etc.

Now you can go to CloudWatch service and click your log group to view logs.

Thank you so much for reading this article, I hope it has helped simplify the process of your case.

If you have any questions, please feel free to drop a comment or to write me on LinkedIn, and I’ll be happy to answer it for you.

If this article helped you out I’d appreciate you letting me know with a few claps or a follow on Medium, thank you.