Ensure AWS Elasticsearch domain logging is enabled

Error: AWS Elasticsearch domain logging is not enabled

Bridgecrew Policy ID: BC_AWS_ELASTICSEARCH_7
Checkov Check ID: CKV_AWS_84
Severity: MEDIUM

AWS Elasticsearch domain logging is not enabled

Description

Amazon ES exposes logs through CloudWatch. ES logs supported include error logs, search slow logs, index slow logs, and audit logs. All the logs are disabled by default. ES logs enable troubleshooting performance and stability issues. Audit logs track user activity for compliance purposes. If enabled, standard CloudWatch pricing applies.

We recommend you enable elasticsearch domain logging.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Elasticsearch console.
  3. In the navigation pane, under My domains, select the domain that you want to update.
    4.Navigate to the Logs tab. For the log that you are working with, select Enable.
  4. Create a CloudWatch log group, or select an existing one.
  5. Select an access policy that contains the appropriate permissions, or create a new policy. Select Enable.
  6. The status of your domain changes from Active to Processing. Prior to log publishing being enabled, the status of your domain must return to Active.

CLI Command

Before you can enable log publishing, you need a CloudWatch log group. If you don't already have one, you will need to can create one.

aws logs put-resource-policy --policy-name my-policy --policy-document <policy_doc_json>

Fix - Buildtime

Terraform

  • Resource: aws_elasticsearch_domain
  • Argument: log_publishing_options - (Optional) Options for publishing slow and application logs to CloudWatch Logs. This block can be declared multiple times, for each log_type, within the same resource.
resource "aws_elasticsearch_domain" "example" {
  ...
  domain_name           = "example"
  log_publishing_options {
    cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn
    log_type                 = "INDEX_SLOW_LOGS"
  }
}

CloudFormation

  • Resource: AWS::Elasticsearch::Domain
  • Argument: Properties.LogPublishingOptions.AUDIT_LOGS.Enabled
Resources:
  Resource0:
    Type: 'AWS::Elasticsearch::Domain'
    Properties:
      ...
      LogPublishingOptions:
        AUDIT_LOGS:
+         Enabled: True
          ...