AWS MWAA environment has worker logs disabled
Description
It is recommended to have a proper logging process for AWS MWAA environment worker in order to track configuration changes conducted manually and programmatically and trace back unapproved changes.
Code Example
go
resource "aws_mwaa_environment" "pass" {
dag_s3_path = "dags/"
execution_role_arn = "aws_iam_role.example.arn"
logging_configuration {
worker_logs {
enabled = true
log_level = "CRITICAL"
}
}
name = "example"
network_configuration {
security_group_ids = ["aws_security_group.example.id"]
subnet_ids = "aws_subnet.private[*].id"
}
source_bucket_arn = "aws_s3_bucket.example.arn"
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0291 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_243 |