v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 2 AWS AppSync should have field-level logging enabled

Description

This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL.

You can use logging and metrics to identify, troubleshoot, and optimize your GraphQL queries. Turning on logging for AWS AppSync GraphQL helps you get detailed information about API requests and responses, identify and respond to issues, and comply with regulatory requirements.

Remediation

To turn on logging for AWS AppSync, see Setup and configuration in the AWS AppSync Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_appsync_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_appsync_2 --share

SQL

This control uses a named query:

appsync_graphql_api_field_level_logging_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = appsync_2
plugin = aws
service = AWS/AppSync