AWS AppSync has field-level logging disabled
Description
It is recommended to have a proper logging process for AWS AppSync in order to detect anomalous configuration activity. It is used to track configuration changes conducted manually and programmatically and trace back unapproved changes.
Code Example
go
resource "aws_appsync_graphql_api" "all" {
authentication_type = "API_KEY"
name = "example"
log_config {
cloudwatch_logs_role_arn = "aws_iam_role.example.arn"
field_log_level = "ALL"
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0242 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | Terraform, CloudFormation |
| Checkov ID | CKV_AWS_194 |