Control: 5 MSK connectors should have logging enabled
Description
This control checks whether logging is enabled for an Amazon MSK connector. The control fails if logging is disabled for the MSK connector.
Amazon MSK connectors integrate external systems and Amazon services with Apache Kafka by continuously copying streaming data from a data source into an Apache Kafka cluster, or continuously copying data from a cluster into a data sink. MSK Connect can write log events that can help debug a connector. When you create a connector, you can specify zero or more of the following log destinations: Amazon CloudWatch Logs, Amazon S3, and Amazon Data Firehose.
Remediation
To enable logging for an existing Amazon MSK connector, you have to re-create the connector with the appropriate logging configuration. For information about configuration options, see Logging for MSK Connect in the Amazon Managed Streaming for Apache Kafka Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_msk_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_msk_5 --share
SQL
This control uses a named query:
select arn as resource, case when log_delivery is not null then 'ok' else 'alarm' end as status, case when log_delivery is not null then title || ' logging enabled.' else title || ' logging disabled.' end as reason , region, account_idfrom aws_mskconnect_connector;