Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AwsSolutions-SF1 conflicts with AWS recommendations #1664

Open
krokoko opened this issue Apr 19, 2024 · 2 comments
Open

AwsSolutions-SF1 conflicts with AWS recommendations #1664

krokoko opened this issue Apr 19, 2024 · 2 comments
Labels
other This issue doesn't fit into the other categories

Comments

@krokoko
Copy link

krokoko commented Apr 19, 2024

What is the problem?

AwsSolutions-SF1 recommends to "log "ALL" events to CloudWatch logs to help operators troubleshoot and audit systems." for step functions
There is not official recommendation for step functions logging in the documentation: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html
However, best practices for CloudWatch logs recommend to log only errors: https://docs.aws.amazon.com/prescriptive-guidance/latest/logging-monitoring-for-application-owners/logging-best-practices.html

Reproduction Steps

  • Create a step function through cdk
  • in the props, set the logging level to error
logs: {
      destination: _logGroup,
      level: sfn.LogLevel.ERROR
    }

What did you expect to happen?

Not failing cdk nag when setting log level to error for step function logging level in cloudwatch

What actually happened?

Failing cdk nag when setting log level to error for step function logging level in cloudwatch

cdk-nag version

v2.28.93

Language

Typescript

Other information

No response
@krokoko krokoko added bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels Apr 19, 2024
@dontirun dontirun added other This issue doesn't fit into the other categories and removed bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels May 6, 2024
@dontirun
Copy link
Collaborator

dontirun commented May 6, 2024

I'm reaching out to the team that maintains these rules to see if I can get a clarification on the guidance

@braidoa
Copy link

braidoa commented May 13, 2024

Hi. Commenting from AWS ProServe Engagement Security:
Good catch, @krokoko! @dontirun, we will change our guidance to "Log only INFO and DEBUG messages in prod."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
other This issue doesn't fit into the other categories
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dontirun @krokoko @braidoa