AWS AppSync's logging is disabled
Description
This policy ensures that AWS AppSync GraphQL APIs have logging enabled. Enabling logging for AppSync allows you to capture, store, and analyze the API activity, which is crucial for monitoring, troubleshooting, and ensuring the security of your API. This policy checks whether the `CloudWatchLogsRoleArn` property in the `LogConfig` configuration is set to a valid value.
Code Example
go
resource "aws_appsync_graphql_api" "enabled" {
authentication_type = "API_KEY"
name = "example"
log_config {
cloudwatch_logs_role_arn = "aws_iam_role.example.arn"
field_log_level = "ERROR"
}
}Remediation
Terraform
To mitigate this issue, ensure that `cloudwatch_logs_role_arn` is set in the `aws_appsync_graphql_api` resource.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0241 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | Terraform, CloudFormation |
| Checkov ID | CKV_AWS_193 |