AppSync logging is not enabled

firetail:aws-appsync-no-logging

Type:

CSPM

Rule Severity:

Low

The AppSync Graphql API does not have logging anabled

Without logging, important request and response data, as well as potential errors, are not recorded, making it more difficult to monitor and troubleshoot issues in the API. Additionally, the lack of logging may limit visibility into malicious activities or unauthorized access attempts.

Enabling logging helps in:

  • Tracking User Activity: Logging allows you to monitor who is making requests and what data is being accessed.
  • Error Diagnosis: Logs can be helpful for identifying and diagnosing issues in the API.
  • Security Monitoring: Without logs, detecting suspicious or anomalous activities, such as unauthorized access or misconfigurations, becomes more difficult.

Remediation

Enable logging for the AppSync GraphQL API.

Example Attack Scenario

An attacker attempts to exploit an API vulnerability in an AppSync GraphQL API that doesn't have logging enabled. They send a series of unauthorized requests to the API in an attempt to access sensitive user data. Since logging is not enabled, there are no records of these requests in CloudWatch or any other logging service, which means that the API owner remains unaware of the malicious activity.

  • Exploiting the API: The attacker may use techniques like brute-forcing or input injection to try to access data that they shouldn't be able to retrieve.
  • Lack of visibility: Without logging, these repeated attacks could go unnoticed, and the attacker might successfully compromise user data, manipulate data, or escalate privileges.
  • Delayed detection: If logging had been enabled, the unauthorized requests would be captured in the logs, enabling the security team to detect and mitigate the attack before any significant damage is done.

In this scenario, AppSync logging being disabled means that there is no easy way to track abnormal or malicious API usage, slowing down response times to incidents or making them harder to identify.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
GitLab secrets found in logs
Majority response status codes 5XX
Response time limit exceeded
AWS ALB has a WAF that is set to fail open
Directive overloading
Plaintext API key