Open krokoko opened 5 months ago
I'm reaching out to the team that maintains these rules to see if I can get a clarification on the guidance
Hi. Commenting from AWS ProServe Engagement Security: Good catch, @krokoko! @dontirun, we will change our guidance to "Log only INFO and DEBUG messages in prod."
What is the problem?
AwsSolutions-SF1 recommends to "log "ALL" events to CloudWatch logs to help operators troubleshoot and audit systems." for step functions There is not official recommendation for step functions logging in the documentation: https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html However, best practices for CloudWatch logs recommend to log only errors: https://docs.aws.amazon.com/prescriptive-guidance/latest/logging-monitoring-for-application-owners/logging-best-practices.html
Reproduction Steps
What did you expect to happen?
Not failing cdk nag when setting log level to error for step function logging level in cloudwatch
What actually happened?
Failing cdk nag when setting log level to error for step function logging level in cloudwatch
cdk-nag version
v2.28.93
Language
Typescript
Other information
No response