AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AppSync API Should Have Logging Enabled.
More Info:
Checks if an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or ‘fieldLogLevel’ is neither ERROR nor ALL.
Risk Level
Medium
Address
Monitoring
Compliance Standards
GDPR,HIPAA,ISO27001,SEBI
Triage and Remediation
Remediation
To remediate the misconfiguration of AppSync API not having logging enabled in AWS using the AWS Management Console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console: Go to the AWS Management Console (https://aws.amazon.com/console/) and sign in using your AWS account credentials.
-
Navigate to AWS AppSync: In the AWS Management Console, type “AppSync” in the search bar at the top and select “AWS AppSync” from the dropdown list.
-
Select the AppSync API: In the AWS AppSync console, select the API that you want to enable logging for from the list of APIs displayed.
-
Enable Logging: In the API details page, click on the “Settings” tab on the left-hand side menu.
-
Configure Logging: Scroll down to the “Log Config” section and click on the “Edit” button.
-
Enable Access Logging: In the “Access Logging” section, toggle the switch to enable access logging for the AppSync API.
-
Set Log Level (Optional): Optionally, you can set the log level based on your requirements (e.g., INFO, ERROR, DEBUG).
-
Choose Log Group: Select an existing CloudWatch log group or create a new one where the logs will be stored.
-
Save Changes: Click on the “Save” button to save the changes and enable logging for the AppSync API.
-
Verify Logging: To verify that logging is enabled, you can perform some API operations and check the CloudWatch log group for the logs generated by the AppSync API.
By following these steps, you can remediate the misconfiguration of AppSync API not having logging enabled in AWS using the AWS Management Console.
To remediate the misconfiguration of AppSync API not having logging enabled in AWS using AWS CLI, you can follow these steps:
-
Enable Logging for the AppSync API:
Run the following AWS CLI command to enable logging for your AppSync API:
aws appsync update-graphql-api --api-id YOUR_API_ID --logging-config=LogConfig="{cloudWatchLogsRoleArn=YOUR_CLOUDWATCH_LOGS_ROLE_ARN,fieldLogLevel=ALL}"
- Replace
YOUR_API_ID
with the actual ID of your AppSync API. - Replace
YOUR_CLOUDWATCH_LOGS_ROLE_ARN
with the ARN of the IAM role that has permission to write logs to CloudWatch.
- Replace
-
Verify the Logging Configuration:
You can verify that logging is enabled for your AppSync API by describing the API and checking the logging configuration:
aws appsync get-graphql-api --api-id YOUR_API_ID --query 'graphqlApi.loggingConfig'
Ensure that the response includes the CloudWatch Logs Role ARN and the desired log level.
-
Test the Logging:
Make some requests to your AppSync API and check if the logs are being generated in CloudWatch Logs.
By following these steps, you can successfully remediate the misconfiguration of AppSync API not having logging enabled in AWS using AWS CLI.
To remediate the misconfiguration of enabling logging for an AWS AppSync API using Python, you can follow these steps:
- Import the necessary Python libraries:
import boto3
- Initialize the AWS AppSync client:
appsync_client = boto3.client('appsync')
- Get the list of APIs in the AWS AppSync service:
response = appsync_client.list_graph_ql_apis()
apis = response['graphQLApis']
-
Identify the target API for which logging needs to be enabled. You can either specify the API directly or loop through all APIs to find the target one.
-
Enable logging for the identified API:
api_id = 'your_api_id_here'
response = appsync_client.update_graph_ql_api(
apiId=api_id,
logConfig={
'cloudWatchLogsRoleArn': 'arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_CLOUDWATCH_LOGS_ROLE',
'fieldLogLevel': 'ALL',
'excludeVerboseContent': False
}
)
Replace 'your_api_id_here'
with the actual API ID of the target API and 'arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_CLOUDWATCH_LOGS_ROLE'
with the ARN of the IAM role that grants permission to write logs to CloudWatch.
- Verify that logging has been enabled successfully by checking the API settings or CloudWatch logs for the API.
By following these steps and executing the Python script, you can remediate the misconfiguration of enabling logging for an AWS AppSync API.