Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · StepFunctions

StepFunctions.1: State machines should have logging on

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub StepFunctions.1 check?

StepFunctions.1 checks that a Step Functions state machine has logging enabled. It reports FAILED when a state machine has no LoggingConfiguration, which is the default for Standard workflows.

Why does StepFunctions.1 matter?

Without logging, a state machine runs dark — when an execution fails or behaves unexpectedly there is no record of which state transitioned where or with what payload, making incident investigation guesswork. Logging to CloudWatch gives you the execution history you need to debug and audit.

How do I fix StepFunctions.1?

  1. Audit which state machines have no LoggingConfiguration.
  2. Choose a log level — ALL for full visibility, or ERROR/FATAL to capture only failures and reduce volume.
  3. Grant the state machine's execution role the CloudWatch Logs delivery permissions it needs.
  4. Enable logging with a non-disruptive update-state-machine call that does not interrupt running executions.

Remediation script · bash

# Verify the prerequisite first: API Gateway's account-level CloudWatch role.
# Without it, the logging setting saves but no logs ever flow.
aws apigateway get-account --query 'cloudwatchRoleArn' --output text

# Enable ERROR-level execution logging on every stage of a REST API.
REST_API=a1b2c3d4e5
for STAGE in $(aws apigateway get-stages --rest-api-id $REST_API \
  --query 'item[].stageName' --output text); do
  aws apigateway update-stage --rest-api-id $REST_API --stage-name $STAGE \
    --patch-operations op=replace,path=/*/*/logging/loglevel,value=ERROR
done

# Cap retention on the log group so storage stays bounded (do this every time you enable logging).
aws logs put-retention-policy \
  --log-group-name "API-Gateway-Execution-Logs_${REST_API}/prod" \
  --retention-in-days 90

# Example for a managed database: publish engine logs to CloudWatch (no per-event charge).
aws rds modify-db-instance --db-instance-identifier prod-db \
  --cloudwatch-logs-export-configuration 'EnableLogTypes=["error","audit"]' --apply-immediately

Full walkthrough (console steps, edge cases and verification) in the lesson Enable application and API logging.

Full lesson Enable application and API logging Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for StepFunctions controls ↗ Check your own account for StepFunctions.1 →
Part of the learning path See what's happening