Ensure that Access Logging is enabled and configured for all your Amazon App Mesh virtual gateways. To enable the feature, configure the file path to write access logs to, within the virtual gateway configuration settings. You can use /dev/stdout to send access logs to standard out and configure your Envoy proxy container to use a log driver, such as "awslogs", to export the access logs to a log storage cloud service such as Amazon CloudWatch Logs. You can also specify a path in the Envoy proxy container's file system to write the log files to disk.
The Access Logging feature lets you track application mesh user access, helps you meet compliance regulations, and provide evidence for security audits and investigations. For example, the logging data can be used to analyze traffic patterns in order to detect different types of attacks and help you implement custom protection plans.
Audit
To determine if Access Logging feature is enabled for your App Mesh virtual gateways, perform the following operations:
Remediation / Resolution
To enable and configure Access Logging for all your Amazon App Mesh virtual gateways, perform the following operations:
References
- AWS Documentation
- What Is AWS App Mesh?
- Virtual gateways
- Security in AWS App Mesh
- App Mesh observability
- AWS Command Line Interface (CLI) Documentation
- appmesh
- list-meshes
- list-virtual-gateways
- describe-virtual-gateway
- update-virtual-gateway
- Envoy Proxy Documentation
- Access Logs