Profile Applicability:
Level 1
Description:
AWS AppSync is a fully managed service that simplifies developing GraphQL APIs by handling complex tasks such as real-time data synchronization, offline data access, and secure API management. Field-level logging in AWS AppSync allows you to log requests and responses at a granular level for individual GraphQL fields. This logging feature provides more detailed insights into the interactions with the API, which can help detect issues, troubleshoot, and ensure security compliance.
By enabling field-level logging, organizations can gain deeper visibility into the API’s activity, including tracking specific fields accessed or mutated in a request. This helps to ensure that sensitive data is properly handled and provides a layer of auditing for operational monitoring.
Rationale:
Enabling field-level logging for AWS AppSync provides the following benefits:
Security: Helps ensure that sensitive data is properly logged and monitored. It can detect if specific fields containing sensitive information (such as PII) are being accessed or modified inappropriately.
Compliance: Supports compliance requirements for monitoring and auditing API usage, including for regulations like GDPR, HIPAA, and SOC 2.
Operational Monitoring: Provides real-time insights into API interactions, making it easier to debug and monitor API traffic, ensuring that all data accesses are legitimate.
Granular Logging: Provides more granular details about which fields are being requested, ensuring better visibility and control over the API.
Impact:
Pros:
Improved Security: Tracks specific API fields, ensuring sensitive data is protected and not accessed or modified without authorization.
Better Troubleshooting: Field-level logs help identify and fix issues quickly by pinpointing which GraphQL fields were involved in a request.
Compliance: Meets auditing and compliance requirements by providing a detailed log trail of data access, mutations, and queries.
Enhanced Visibility: Provides visibility into how data is accessed or mutated at the field level, which is especially useful in multi-service architectures.
Cons:
Performance Overhead: Enabling detailed field-level logging may introduce some performance overhead, especially with high-volume traffic.
Cost: Logging at a granular level increases storage requirements, which may result in higher AWS CloudWatch costs.
Complexity: The logs could become more complex and harder to parse, especially when there are large numbers of requests or complex queries.
Default Value:
By default, AWS AppSync does not have field-level logging enabled. It is necessary to explicitly configure this feature when setting up or modifying the GraphQL API to ensure that sensitive data is logged at the field level.
Pre-requisite:
AWS IAM Permissions:
appsync:UpdateGraphqlApi
appsync:DescribeGraphqlApi
logs:CreateLogGroup
logs:CreateLogStream
logs:PutLogEvents
AWS CLI installed and configured.
CloudWatch Logs should be enabled and available to store logs.
AWS AppSync and relevant GraphQL APIs should be set up.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS AppSync under Services.
Select the GraphQL API you want to configure.
In the API Settings, under Logging and Monitoring, check if Field-Level Logging is enabled.
If field-level logging is not enabled, enable it by:
Go to Logging.
Select Enable logging and choose Field-Level Logging.
Specify the CloudWatch Log Group where the logs will be stored.
Save the changes and apply them.
Verify that CloudWatch Logs are populated with the field-level data logs after making a query or mutation request.
Using AWS CLI:
To check the logging configuration for your GraphQL API, run:
aws appsync get-graphql-api --api-id <api-id> --query 'graphqlApi.loggingConfig'
To enable field-level logging, run the following command:
aws appsync update-graphql-api --api-id <api-id> --logging-config '{
"cloudWatchLogsRoleArn": "arn:aws:iam::<account-id>:role/<role-name>",
"logLevel": "ALL"
}'Verify that field-level logging has been enabled by running:
aws appsync get-graphql-api --api-id <api-id> --query 'graphqlApi.loggingConfig'
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to AWS AppSync.
Select the GraphQL API you want to configure or create a new one.
In the API Settings, click on Logging and Monitoring.
Enable field-level logging by selecting Enable Logging and choosing ALL as the log level.
Assign a CloudWatch Logs Role for writing logs to CloudWatch.
Save the changes to ensure that field-level logging is active for the selected GraphQL API.
Using AWS CLI:
To update the GraphQL API to enable field-level logging, run:
aws appsync update-graphql-api --api-id <api-id> --logging-config '{
"cloudWatchLogsRoleArn": "arn:aws:iam::<account-id>:role/<role-name>",
"logLevel": "ALL"
}'To verify the change:
aws appsync get-graphql-api --api-id <api-id> --query 'graphqlApi.loggingConfig'
Backout Plan:
If enabling field-level logging causes issues (e.g., excessive log volume, performance degradation):
Identify the affected API and review the logging configuration.
Disable field-level logging by running:
aws appsync update-graphql-api --api-id <api-id> --logging-config '{
"cloudWatchLogsRoleArn": "",
"logLevel": "NONE"
}'Verify that the field-level logs are no longer generated and that the system is functioning as expected.
Note :
Log Retention: Set up log retention policies for CloudWatch Logs to automatically delete logs after a specified period to control storage costs.
CloudWatch Alarms: Configure CloudWatch Alarms to trigger notifications if certain patterns (e.g., errors, spikes in traffic) are detected in field-level logs.
Testing: Test field-level logging in a staging or development environment before applying it to production to ensure it does not impact performance.