AWS Elasticsearch domain logging is not enabled
Description
Amazon Elasticsearch Service (Amazon ES) exposes logs through CloudWatch. ES logs enable troubleshooting performance and stability issues, as well as audit logs to track user activity for compliance purposes. Supported ES logs include error logs, search slow logs, index slow logs, and audit logs. All logs are disabled by default.
We recommend you enable Elasticsearch domain logging.
NOTE: If enabled, standard CloudWatch pricing applies.
Code Example
{
"aws logs put-resource-policy --policy-name my-policy --policy-document & lt;policy_doc_json>",
}Remediation
- AWS Console*
To change the policy using the AWS Console, follow these steps:
. Log in to the AWS Management Console at https://console.aws.amazon.com/.
. Open the https://console.aws.amazon.com/es/home [Amazon Elasticsearch console].
. In the navigation pane, under * My domains*, select the domain that you want to update. + 4.Navigate to the * Logs* tab. + For the log that you are working with, select * Enable*.
. Create a * CloudWatch log group*, or select an existing one.
. Select an access policy that contains the appropriate permissions, or create a new policy. + Select * Enable*.
. The * status* of your domain changes from * Active* to * Processing*. + Prior to log publishing being enabled, the status of your domain must return to * Active*.
- CLI Command*
Before you can enable log publishing, you need a CloudWatch log group. If you don't already have one, you will need to can create one.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0137 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_84 |