CloudWatch Logging Disabled
- Query id: 7dbba512-e244-42dc-98bb-422339827967
- Query name: CloudWatch Logging Disabled
- Platform: Terraform
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
Check if CloudWatch logging is disabled for Route53 hosted zones
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_route53_zone" "no_query_log" {
name = "example.com"
}
resource "aws_route53_zone" "log_group_mismatch" {
name = "example.com"
}
resource "aws_route53_query_log" "log_group_mismatch" {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_log_mismatch.arn
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_route53_zone" "example_com" {
name = "example.com"
}
resource "aws_route53_query_log" "example_com" {
depends_on = [aws_cloudwatch_log_resource_policy.route53-query-logging-policy]
cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_example_com.arn
zone_id = aws_route53_zone.example_com.zone_id
}