AWS AppSync has field-level logs disabled

Description

It is recommended to have a proper logging process for AWS AppSync in order to detect anomalous configuration activity. It is used to track configuration changes conducted manually and programmatically and trace back unapproved changes.

Fix - Runtime

Fix - Buildtime

Terraform

resource "aws_appsync_graphql_api" "all" {
  authentication_type = "API_KEY"
  name                = "example"

  log_config {
    cloudwatch_logs_role_arn = "aws_iam_role.example.arn"
    field_log_level          = "ALL"
  }
}