AWS AppSync API has field-level logging set to ALL or ERROR
appsync_field_level_logging_enabled
AWS AppSync GraphQL APIs have field-level logging configured at the resolver level. The check looks for log levels of ERROR or ALL to confirm field resolution events are recorded.
Risk
Without field-level logs, resolver access and mutations lack auditability, reducing detection of data exfiltration and tampering (confidentiality and integrity). Limited traces hinder incident response and root-cause analysis, increasing recovery time.
prowler aws --checks appsync_field_level_logging_enabled
Recommendation
- Enable field-level logging at least
ERROR; raise toINFO/DEBUG/ALLonly for troubleshooting. - Enforce least privilege on the logging role.
- Avoid sensitive data in logs; limit verbose content.
- Set retention and consider log sampling to balance visibility and cost.
Remediation
aws appsync update-graphql-api --api-id <example_resource_id> --name <api-name> --authentication-type AWS_IAM --log-config fieldLogLevel=ERROR,cloudWatchLogsRoleArn=<cloudwatch_logs_role_arn>
- In the AWS Console, go to AppSync and open your GraphQL API
- Go to Settings > Logging
- Turn on Enable logs
- Set Field resolver log level to ERROR (or ALL)
- Select an IAM role that allows AppSync to write to CloudWatch Logs
- Click Save
Source Code
Resource Type
AwsAppSyncGraphQLApi
References
- https://theburningmonk.com/2020/09/how-to-sample-appsync-resolver-logs/
- https://lumigo.io/blog/how-to-monitor-and-debug-appsync-apis/
- https://docs.aws.amazon.com/securityhub/latest/userguide/appsync-controls.html#appsync-2
- https://docs.aws.amazon.com/appsync/latest/APIReference/API_LogConfig.html
- https://blog.graphbolt.dev/debugging-aws-appsync-apis-with-cloudwatch
- https://support.icompaas.com/support/solutions/articles/62000233678-ensure-aws-appsync-should-have-field-level-logging-enabled