turbot/aws_compliance

Control: 1 Step Functions state machines should have logging turned on

Description

This controls checks whether an AWS Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the logLevel parameter, the control passes only if the state machine has the specified logging level turned on.

Monitoring helps you maintain the reliability, availability, and performance of Step Functions. You should collect as much monitoring data from the AWS services that you use so you can more easily debug multi-point failures. Having a logging configuration defined for your Step Functions state machines allows for you to track execution history and results in Amazon CloudWatch Logs. Optionally, you can track only errors or fatal events.

Remediation

To turn on logging for a Step Functions state machine, see Configure logging in the AWS Step Functions Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_sfn_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_sfn_1 --share

SQL

This control uses a named query:

sfn_state_machine_logging_enabled

Tags