Snyk Cloud Rules Database

Description

Enabling AWS AppSync GraphQL logging provides visibility into the requests and responses made to the GraphQL API, allowing for better troubleshooting, monitoring, and auditing. Without logging enabled, it becomes difficult to identify and investigate potential security incidents or performance issues. Enabling logging helps in detecting anomalies, unauthorized access attempts, and potential data breaches. It is recommended to enable AWS AppSync GraphQL logging to enhance the security and operational visibility of the application.

How to fix?

Set the log_config[_] attribute in aws_appsync_graphql_api resource to a valid value.

Example configuration:

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["appsync.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "example-737" {
  name               = "example-737"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_iam_role_policy_attachment" "example-737" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
  role       = aws_iam_role.example-737.name
}

resource "aws_appsync_graphql_api" "Allowed-1" {
  authentication_type = "AWS_IAM"
  name                = "example-iam-737"

  log_config {
    cloudwatch_logs_role_arn = aws_iam_role.example-737.arn
    field_log_level          = "ALL"
  }
}

resource "aws_appsync_graphql_api" "Allowed-2" {
  authentication_type = "API_KEY"
  name                = "example-api-key-737"

  log_config {
    cloudwatch_logs_role_arn = aws_iam_role.example-737.arn
    field_log_level          = "ALL"
  }
}

AWS AppSync GraphQL logging is not enabled Affecting AppSync service in AWS

Severity

Is your environment affected by this misconfiguration?

Description

How to fix?

Terraform