AWS AppSync GraphQL APIs now support data plane logging to AWS CloudTrail
Today, AWS AppSync announced support for logging GraphQL data plane operations (query, mutation, and subscription operations and connect requests to your real-time WebSocket endpoint) using AWS CloudTrail, enabling customers to have greater visibility into GraphQL API activity in their AWS account for best practices in security and operational troubleshooting. AWS AppSync GraphQL is a serverless GraphQL service that gives application developers the ability to access data from multiple databases, micro-services, and AI models with a single GraphQL API request.
CloudTrail captures API activities related to AWS AppSync GraphQL APIs as events, including calls from the AWS console and calls made programmatically to the AWS AppSync GraphQL API endpoints. Using the information that CloudTrail collects, you can identify a specific request to an AWS AppSync GraphQL API, the IP address of the requester, the requester's identity, and the date and time of the request. Logging AWS AppSync GraphQL APIs using CloudTrail helps you enable operational and risk auditing, governance, and compliance of your AWS account.
To opt-in for CloudTrail logging you can simply configure logging on your data stream using the AWS CloudTrail Console or by using CloudTrail APIs.
Logging data plane AWS AppSync GraphQL APIs using AWS CloudTrail is now available in all commercial AWS Regions where AppSync is available. To learn more about logging data plane APIs using AWS CloudTrail, see AWS Documentation. For more information about CloudTrail, see the AWS CloudTrail User Guide.