Ensure AppSync has Logging enabled

appsync_logging_disabled

Severity

low

Vendor

AWS

Resource

AppSync

Description

AWS AppSync provides a robust, scalable GraphQL interface for application developers to combine data from multiple sources, including Amazon DynamoDB, AWS Lambda, and HTTP APIs.

Enabling the logging can be useful for troubleshooting security and operational issues.

Examples

Buildtime

CloudFormation

{
  "Resources": {
    "Dummy": { (1)
      "Type": "AWS::AppSync::GraphQLApi",
      "Properties": {
        "Name": "dummy",
        "AuthenticationType": "API_KEY"
      }
    }
  }
}

json

1	Missing `LogConfig` property means logging is disabled.

Resources:
  Dummy: (1)
    Type: "AWS::AppSync::GraphQLApi"
    Properties:
      Name: "dummy"
      AuthenticationType: "API_KEY"

yaml

1	Missing `LogConfig` property means logging is disabled.

Terraform

resource "aws_appsync_graphql_api" "default" {
  authentication_type = "API_KEY"
  name                = "example"   (1)
}

1	There is no logging configuration property.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "Dummy": {
      "Type": "AWS::AppSync::GraphQLApi",
      "Properties": {
        "Name": "dummy",
        "AuthenticationType": "API_KEY",
        "LogConfig": {
          "CloudWatchLogsRoleArn": "iam_role_arn",
          "FieldLogLevel": "ERROR" (1)
        }
      }
    }
  }
}

json

1	`CloudWatchLogsRoleArn` set means logging is enabled.

Resources:
  Dummy:
    Type: "AWS::AppSync::GraphQLApi"
    Properties:
      Name: "dummy"
      AuthenticationType: "API_KEY"
      LogConfig:
        CloudWatchLogsRoleArn: "iam_role_arn" (1)
        FieldLogLevel: "ERROR"

yaml

1	`CloudWatchLogsRoleArn` set means logging is enabled.

Terraform

resource "aws_appsync_graphql_api" {
  authentication_type = "API_KEY"

  log_config {
    cloudwatch_logs_role_arn = "aws_iam_role.example.arn" (1)
    field_log_level          = "ERROR"
  }
}

1	Ensure you have enabled logging and set a role.