{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "AC-4(26)",
                "AU-10",
                "AU-12",
                "AU-2",
                "AU-3",
                "AU-6(3)",
                "AU-6(4)",
                "CA-7",
                "SC-7(9)",
                "SI-7(8)"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "10.1",
                "10.3.1",
                "10.3.2",
                "10.3.3",
                "10.3.4",
                "10.3.5",
                "10.3.6"
            ]
        }
    ],
    "ConfigRuleIdentifier": "APPSYNC_LOGGING_ENABLED",
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether an AWS AppSync GraphQL API has been configured to send request-level and field-level logs to Amazon CloudWatch Logs.",
    "DisplayName": "Require an AWS AppSync GraphQL API to have logging enabled",
    "DocumentationReferences": [
        {
            "DisplayName": "Monitoring and logging",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/appsync/latest/devguide/monitoring.html"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::AppSync::GraphQLApi"
    ],
    "EvaluatedServices": [
        "AWS AppSync"
    ],
    "Guidance": "Elective",
    "Id": "CT.APPSYNC.PR.1",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.1",
            "Name": "Establish logging and monitoring"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "ReleaseDate": "2023-07-24",
    "RemediationMessage": "Within 'LogConfig', set 'FieldLogLevel' to 'ALL' or 'ERROR' and set 'CloudWatchLogsRoleArn' to the ARN of an AWS IAM role configured to allow AWS AppSync to send logs to Amazon CloudWatch Logs.",
    "Severity": "MEDIUM",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "1",
    "Visibility": "PUBLIC"
}