Elasticsearch Domain Audit Logging is disabled
Description
This policy is checking for the activation of audit logging on an Elasticsearch Domain. It ensures that all the changes and alterations made within the domain are being tracked and recorded for future analysis. If this feature is not enabled, it can pose serious security risks as malicious activities or unauthorized changes could go undetected. It can also make troubleshooting difficult in case of an unforeseen issue. Hence, enabling audit logging not only enhances security but also aids system management and optimization.
Code Example
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
... // other configurations
log_publishing_options {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn
log_type = "AUDIT_LOGS"
audit_logs {
enabled = true
}
}
}
resource "aws_cloudwatch_log_group" "example" {
name = "example"
}Remediation
Terraform
- Resource: "aws_elasticsearch_domain", "aws_opensearch_domain"
- Arguments: log_publishing_options
To fix this issue, you need to enable the audit logs for the Elasticsearch Domain. This can be done by setting `log_publishing_options` in your AWS Elasticsearch resource configuration, then defining `audit_logs` with `enabled = true`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0364 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_317 |