Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · AppSync

AppSync.2: AppSync should have field-level logging

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub AppSync.2 check?

AppSync.2 fails when an AppSync GraphQL API has field-level logging set to NONE. The control passes when the log level is ERROR or ALL, capturing per-resolver request and response detail to CloudWatch.

Why does AppSync.2 matter?

GraphQL hides per-field failures behind a healthy-looking HTTP 200, so a single misbehaving resolver can return partial errors while the front door looks fine. With logging at NONE there's no record of which resolver failed or why. One fintech spent four hours hand-bisecting resolvers during a Black Friday incident purely because field-level logs were off.

How do I fix AppSync.2?

  1. Ensure the CloudWatch role AppSync needs to write logs exists.
  2. Set the field-level log level to ERROR (or ALL) on the API via update-graphql-api.
  3. Keep exclude-verbose-content on where appropriate so sensitive field data stays out of logs.
  4. Enforce the setting fleet-wide through IaC so new APIs land compliant.

Remediation script · bash

# Verify the prerequisite first: API Gateway's account-level CloudWatch role.
# Without it, the logging setting saves but no logs ever flow.
aws apigateway get-account --query 'cloudwatchRoleArn' --output text

# Enable ERROR-level execution logging on every stage of a REST API.
REST_API=a1b2c3d4e5
for STAGE in $(aws apigateway get-stages --rest-api-id $REST_API \
  --query 'item[].stageName' --output text); do
  aws apigateway update-stage --rest-api-id $REST_API --stage-name $STAGE \
    --patch-operations op=replace,path=/*/*/logging/loglevel,value=ERROR
done

# Cap retention on the log group so storage stays bounded (do this every time you enable logging).
aws logs put-retention-policy \
  --log-group-name "API-Gateway-Execution-Logs_${REST_API}/prod" \
  --retention-in-days 90

# Example for a managed database: publish engine logs to CloudWatch (no per-event charge).
aws rds modify-db-instance --db-instance-identifier prod-db \
  --cloudwatch-logs-export-configuration 'EnableLogTypes=["error","audit"]' --apply-immediately

Full walkthrough (console steps, edge cases and verification) in the lesson Enable application and API logging.

Full lesson Enable application and API logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for AppSync controls ↗ Check your own account for AppSync.2 →
Part of the learning path See what's happening

More AppSync controls

  • AppSync.5 An AppSync GraphQL API is authenticated with API keys