AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AppSync API Should Have Logging Enabled.
More Info:
Checks if an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or ‘fieldLogLevel’ is neither ERROR nor ALL.
Risk Level
Medium
Address
Monitoring
Compliance Standards
GDPR,HIPAA,ISO27001,SEBI
Triage and Remediation
Check Cause
- Sign in to the AWS Management Console.
- Navigate to the AWS AppSync service by typing ‘AppSync’ in the search bar and selecting it from the dropdown menu.
- In the AppSync dashboard, you will see a list of all your APIs. Select the API you want to check.
- In the settings of the selected API, look for the ‘Logging’ section. If logging is enabled, you will see the details of the logging configuration, such as the log level and the CloudWatch Logs role ARN. If this section is not present or it says that logging is disabled, then the AppSync API does not have logging enabled.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the AppSync APIs.
-
Once the AWS CLI is set up, you can list all the AppSync APIs using the following command:
aws appsync list-graphql-apis --region your-regionReplace ‘your-region’ with the region where your APIs are located. This command will return a list of all the AppSync APIs in the specified region.
-
To check the logging configuration of each API, you need to describe the API using the following command:
aws appsync get-graphql-api --api-id your-api-id --region your-regionReplace ‘your-api-id’ with the ID of the API you want to check and ‘your-region’ with the region where your API is located. This command will return the details of the specified API.
-
In the output of the above command, look for the ‘logConfig’ field. If the ‘logConfig’ field is present and the ‘cloudWatchLogsRoleArn’ and ‘fieldLogLevel’ are set, then logging is enabled for the API. If the ‘logConfig’ field is not present or the ‘cloudWatchLogsRoleArn’ and ‘fieldLogLevel’ are not set, then logging is not enabled for the API.
-
Install and configure AWS SDK for Python (Boto3): Before you can begin writing Python scripts to detect misconfigurations, you need to install and configure Boto3. You can install it using pip:
pip install boto3Then, configure your AWS credentials to enable Boto3 to communicate with AWS services:
aws configureYou’ll be prompted to provide your AWS Access Key ID and Secret Access Key, which you can find in your AWS Management Console.
-
Import necessary libraries and establish a client connection: In your Python script, you’ll need to import Boto3 and establish a client connection to AWS AppSync. Here’s how you can do it:
import boto3 client = boto3.client('appsync') -
List all AppSync APIs and check their logging status: You can use the
list_graphql_apismethod to get a list of all AppSync APIs, and then check thelogConfigfield of each API to see if logging is enabled. Here’s a sample script:import boto3 client = boto3.client('appsync') response = client.list_graphql_apis() for api in response['graphqlApis']: if 'logConfig' in api: if api['logConfig']['cloudWatchLogsRoleArn'] and api['logConfig']['fieldLogLevel']: print(f"Logging is enabled for API: {api['name']}") else: print(f"Logging is not fully enabled for API: {api['name']}") else: print(f"Logging is not enabled for API: {api['name']}") -
Handle pagination: The
list_graphql_apismethod returns a maximum of 25 APIs at a time. If you have more than 25 APIs, you’ll need to handle pagination by using thenextTokenfield in the response:import boto3 client = boto3.client('appsync') paginator = client.get_paginator('list_graphql_apis') for page in paginator.paginate(): for api in page['graphqlApis']: if 'logConfig' in api: if api['logConfig']['cloudWatchLogsRoleArn'] and api['logConfig']['fieldLogLevel']: print(f"Logging is enabled for API: {api['name']}") else: print(f"Logging is not fully enabled for API: {api['name']}") else: print(f"Logging is not enabled for API: {api['name']}")This script will print out the names of all APIs and whether logging is enabled for each one.