Step Functions state machine has logging enabled
stepfunctions_statemachine_logging_enabled
AWS Step Functions state machines are configured to emit execution logs to CloudWatch Logs via a defined loggingConfiguration with a level set above OFF.
Risk
Without execution logs, workflow failures and anomalies are undetectable, increasing MTTR and risking silent data loss. Missing audit trails weaken integrity oversight and complicate forensics, enabling misuse of invoked services to go unnoticed and creating compliance gaps.
prowler aws --checks stepfunctions_statemachine_logging_enabled
Recommendation
Enable CloudWatch logging on all state machines at an appropriate level (e.g., ERROR or ALL) and send logs to a protected log group. Apply least privilege to log write/read, set retention, and avoid sensitive data unless required using includeExecutionData. Use X-Ray tracing for defense in depth.
Remediation
aws stepfunctions update-state-machine --state-machine-arn <state-machine-arn> --logging-configuration file://logging-config.json
- Open AWS Console > Step Functions > State machines
- Select the state machine and click Edit
- In Logging, enable logging
- Choose an existing CloudWatch Logs log group
- Set Level to Error (or All)
- Save changes
Source Code
Resource Type
AwsStepFunctionStateMachine
References