Ensure Elasticsearch Domain Logging is enabled

When loggin is enabled Amazon Elastic search can export logs through CloudWatch.Logs supported include error logs, search slow logs, index slow logs, and audit logs. Search slow logs, index slow logs, and error logs are useful for troubleshooting performance and stability issues. Audit logs track user activity for compliance purposes.All the logs are disabled by default.

Suggest Edits

Risk Level: Low
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.CFT.LOG.13
Covered by Spectral: Yes
Category: Analytics

GSL LOGIC

AWS_Elasticsearch_Domain should have LogPublishingOptions.AUDIT_LOGS.Enabled=true

REMEDIATION

From CFT
Supply AWS::Elasticsearch::Domain::LogPublishingOptions::AUDIT_LOGS::Enabled with value true.
See below example;

Resources:
MyDomainSerach:
Type: AWS::Elasticsearch::Domain
Properties:
...
LogPublishingOptions:
AUDIT_LOGS:
Enabled: true
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticsearch-domain-logpublishingoption.html
  2. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CloudFormation ruleset

Updated 7 months ago