CloudWatch Logging Disabled

  • Query id: 7dbba512-e244-42dc-98bb-422339827967
  • Query name: CloudWatch Logging Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

Check if CloudWatch logging is disabled for Route53 hosted zones
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_route53_zone" "no_query_log" {
  name = "example.com"
}

resource "aws_route53_zone" "log_group_mismatch" {
  name = "example.com"
}

resource "aws_route53_query_log" "log_group_mismatch" {
  cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_log_mismatch.arn
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_route53_zone" "example_com" {
  name = "example.com"
}

resource "aws_route53_query_log" "example_com" {
  depends_on = [aws_cloudwatch_log_resource_policy.route53-query-logging-policy]

  cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_example_com.arn
  zone_id                  = aws_route53_zone.example_com.zone_id
}