AwsSolutions-SF1 conflicts with AWS recommendations

krokoko commented 5 months ago

What is the problem?

AwsSolutions-SF1 recommends to "log "ALL" events to CloudWatch logs to help operators troubleshoot and audit systems." for step functions There is not official recommendation for step functions logging in the documentation: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html However, best practices for CloudWatch logs recommend to log only errors: https://docs.aws.amazon.com/prescriptive-guidance/latest/logging-monitoring-for-application-owners/logging-best-practices.html

Reproduction Steps

Create a step function through cdk

in the props, set the logging level to error

logs: {
  destination: _logGroup,
  level: sfn.LogLevel.ERROR
}

What did you expect to happen?

Not failing cdk nag when setting log level to error for step function logging level in cloudwatch

What actually happened?

Failing cdk nag when setting log level to error for step function logging level in cloudwatch

cdk-nag version

v2.28.93

Language

Typescript

Other information

No response

dontirun commented 5 months ago

I'm reaching out to the team that maintains these rules to see if I can get a clarification on the guidance

braidoa commented 5 months ago

Hi. Commenting from AWS ProServe Engagement Security: Good catch, @krokoko! @dontirun, we will change our guidance to "Log only INFO and DEBUG messages in prod."

cdklabs / cdk-nag