Ensure AppSync has Field-Level logs enabled
ID |
appsync_field_level_logs_enabled |
Severity |
low |
Vendor |
AWS |
Resource |
AppSync |
Tags |
non-reachable |
Description
AWS AppSync provides a robust, scalable GraphQL interface for application developers to combine data from multiple sources, including Amazon DynamoDB, AWS Lambda, and HTTP APIs.
Setting an appropriate FieldLogLevel can be useful for troubleshooting security and operational issues.
Thus, it’s recommended to use ERROR or ALL field log levels.
Examples
CloudFormation
{
"Resources": {
"None": {
"Type": "AWS::AppSync::GraphQLApi",
"Properties": {
"Name": "dummy",
"AuthenticationType": "API_KEY",
"LogConfig": {
"CloudWatchLogsRoleArn": "iam_role_arn",
"FieldLogLevel": "NONE" (1)
}
}
}
}
}| 1 | FieldLogLevel set to None means no field-level logs are captured. |
Resources:
None:
Type: "AWS::AppSync::GraphQLApi"
Properties:
Name: "dummy"
AuthenticationType: "API_KEY"
LogConfig:
CloudWatchLogsRoleArn: "iam_role_arn"
FieldLogLevel: "NONE" (1)| 1 | FieldLogLevel set to None means no field-level logs are captured. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"None": {
"Type": "AWS::AppSync::GraphQLApi",
"Properties": {
"Name": "dummy",
"AuthenticationType": "API_KEY",
"LogConfig": {
"CloudWatchLogsRoleArn": "iam_role_arn",
"FieldLogLevel": "ERROR" (1)
}
}
}
}
}| 1 | FieldLogLevel set to Error or Info means field-level logs are captured. |
Resources:
None:
Type: "AWS::AppSync::GraphQLApi"
Properties:
Name: "dummy"
AuthenticationType: "API_KEY"
LogConfig:
CloudWatchLogsRoleArn: "iam_role_arn"
FieldLogLevel: "ERROR" (1)| 1 | FieldLogLevel set to Error or All means field-level logs are captured. |