Control: AppSync graphql API logging should be enabled

Description

This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.appsync_graphql_api_field_level_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.appsync_graphql_api_field_level_logging_enabled --share

SQL

This control uses a named query:

select
  name as resource,
  case
    when log_config ->>  'FieldLogLevel' in ('ERROR', 'ALL') then 'ok'
    else 'alarm'
  end as status,
  case
    when log_config ->>  'FieldLogLevel' in ('ERROR', 'ALL') then title || ' field level logging enabled.'
    else name || ' field level logging disabled.'
  end as reason
  
  , region, account_id
from
  aws_appsync_graphql_api;

Control: AppSync graphql API logging should be enabled

Description

Usage

SQL

Tags