Control: 2 AWS AppSync should have field-level logging enabled

Description

This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL.

You can use logging and metrics to identify, troubleshoot, and optimize your GraphQL queries. Turning on logging for AWS AppSync GraphQL helps you get detailed information about API requests and responses, identify and respond to issues, and comply with regulatory requirements.

Remediation

To turn on logging for AWS AppSync, see Setup and configuration in the AWS AppSync Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_appsync_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_appsync_2 --share

SQL

This control uses a named query:

select
  name as resource,
  case
    when log_config ->>  'FieldLogLevel' in ('ERROR', 'ALL') then 'ok'
    else 'alarm'
  end as status,
  case
    when log_config ->>  'FieldLogLevel' in ('ERROR', 'ALL') then title || ' field level logging enabled.'
    else name || ' field level logging disabled.'
  end as reason
  
  , region, account_id
from
  aws_appsync_graphql_api;

Control: 2 AWS AppSync should have field-level logging enabled

Description

Remediation

Usage

SQL

Tags