Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: AppSync graphql API logging should be enabled

Description

This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.appsync_graphql_api_field_level_logging_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.appsync_graphql_api_field_level_logging_enabled --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when log_config ->>  'FieldLogLevel' in ('ERROR', 'ALL') then 'ok'
    else 'alarm'
  end as status,
  case
    when log_config ->>  'FieldLogLevel' in ('ERROR', 'ALL') then title || ' field level logging enabled.'
    else name || ' field level logging disabled.'
  end as reason
  
  , region, account_id
from
  aws_appsync_graphql_api;

Tags

acsc_essential_eight = true
category = Compliance
pci_dss_v40 = true
plugin = aws
service = AWS/AppSync