Execution history logging is not enabled on the State Machine
Description
This policy is verifying whether execution history logging is activated for the State Machine in an AWS environment. If not activated, it could lead to critical issues. Logging provides extensive visibility into the behavior of a state machine, allowing one to view execution history, debug errors, and understand which states were traversed in the course of an execution. In the absence of logging, debugging could become very difficult due to lack of information on the application's activities. It is a best practice in security and compliance to enable logging and continuously monitor these logs.
Code Example
resource "aws_sfn_state_machine" "sfn_state_machine" {
name = "sfn_state_machine"
// ...
logging_configuration {
level = "ALL"
include_execution_data = true
}
}Remediation
Terraform
- Resource: aws_sfn_state_machine
- Arguments: logging_configuration.include_execution_data
To fix this issue, you need to enable execution history logging for the AWS ATM state machine. This can be achieved by adding the `logging_configuration` block to the AWS step function resource, and setting `level` to `ALL`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0333 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_285 |