What is the API audit log implementation best practice?

I want to implement Audit logs for our API, for compliance needs. Every request that a customer performs to the API should be logged. It must be hermetic, we can’t lose any log. The API high level architecture: Cloudfront -> API GW -> LB

I thought about Cloudfront standard logs, but the documentation says that it may not be hermetic, so it’s not relevant for my use case.

API GW access logs seems to be my direction for now, but setting the log template is pretty challenging. I couldn’t get the perfect template with all relevant data:

• Instead of the request payload, I get “-” (by using $input.body)
• Useragent is “Amazon CloudFront” instead the actual useragent (makes sense due to the fact that Cloudfront forwards the request)
• Many more fields are empty

2 comments:

*The log template documentation that I based on - https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference?cmpid=docs_apigateway_console

*I added to the Cloudfront distribution the “AllViewerExceptHostHeader” origin request policy, it didn’t help, looks like API GW still gets the requests with missing metadata from Cloudfront https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-all-viewer-except-host-header

The question is: is this the right direction for implementing API audit log? If not, would you recommend a third party product? I’m trying to avoid developing it in-house.

Thanks, Yedidya