Findings

AppSync field-level logging is not enabled

Updated: June 19, 2025

findings cloud based findings api finding

Description

Severity: Low

The AppSync Graphql API does not have field-level logging enabled.

Field-level logging provides granular insights into the specific fields being queried in GraphQL requests. Without this detailed logging, it's difficult to monitor and track how sensitive fields are being accessed, leading to potential security issues such as:

  • Limited Visibility: Lack of detailed data makes it challenging to identify unauthorized or suspicious access to specific fields.
  • Harder Troubleshooting: Diagnosing errors or misconfigurations within individual fields becomes difficult without field-level logs.
  • Security Blind Spots: Malicious actors may exploit unmonitored fields, making it difficult to detect issues like data scraping or unauthorized access.

Example Attack

An attacker targets a GraphQL endpoint to access sensitive user data by exploiting unmonitored fields. For example, the attacker could try to manipulate queries to access a user's private information, such as email addresses, payment details, or account balances. Since field-level logging is not enabled, these specific field accesses remain undetected in the logs, making it harder for security teams to identify or respond to the unauthorized data access. The attacker could continue querying sensitive fields without triggering any alerts or alarms, potentially scraping large amounts of data without being noticed.

Remediation

Enable field-level logging for the AppSync GraphQL API.

Need help?

Contact FireTail support

Previous (Findings - Cloud based findings)
API Gateway Stage missing WAF
Next (Findings - Cloud based findings)
AppSync GraphQL API authentication using API keys