Enable Audit Logs

Risk Level: Medium (should be achieved)

Ensure that the Audit Logs feature is enabled for all the Amazon OpenSearch domains created within your AWS cloud account. This logging feature lets you track user access to your OpenSearch domains, help you meet compliance regulations, and provide evidence for security investigations.

This rule can help you work with the AWS Well-Architected Framework.

Security

The Audit Logs feature allows you to log all user activity on your Amazon OpenSearch domains (clusters), including failed login attempts, and which users accessed certain indices, documents, or fields. The default configuration tracks a popular set of user actions, however, you can further configure and fine tune the feature settings to meet your needs. Audit Logs is also integrated with Fine Grained Access Control, allowing you the ability to log access or modification requests to sensitive documents or fields, in order to meet stringent compliance requirements. Once the feature is enabled and configured, the detailed audit logs will be continuously streamed to CloudWatch Logs to be further analyzed. The logging data recorded by the Audit Logs feature is extremely useful for compliance and audit purposes, especially in the aftermath of a security breach.

Audit

To determine if audit logging is enabled for your Amazon OpenSearch domains, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch cluster that you want to examine.

05 Select the Logs tab and check the value available in the Status column for the Audit logs log type, listed in the CloudWatch Logs section. If the Status value for the Audit logs log type is set to Disabled, audit logs are not enabled for the selected Amazon OpenSearch cluster.

06 Repeat steps no. 4 and 5 for each Amazon OpenSearch cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch cluster (domain) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the Audit Logs feature status available for the selected cluster:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.LogPublishingOptions.AUDIT_LOGS.Enabled'

04 The command output should return the requested feature configuration status:

false

If the describe-elasticsearch-domain command output returns null, the CloudWatch Logs are not enabled for the selected cluster. If the command output returns false, as shown in the example above, the Audit Logs feature is not enabled for the selected Amazon OpenSearch cluster.

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable audit logs for your Amazon OpenSearch clusters (domains), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name of the OpenSearch cluster that you want to reconfigure.

05 Select the Logs tab to access the cluster logging configuration settings.

06 In the CloudWatch Logs section, select Audit logs and choose Enable to enable publishing audit logs to Amazon CloudWatch Logs. In the Select log group from CloudWatch logs section, select Create new group and provide a unique name for the new CloudWatch Logs log group in the New log group name box. In order to successfully deliver the audit logs to your new log group, Amazon OpenSearch will need access to two API calls: "CreateLogStream" and "PutLogEvents". In the Specify CloudWatch access policy section, choose Create new policy to create the access policy required to successfully deliver the logs to your new CloudWatch Logs log group. Choose Enable to apply the configuration changes.

07 Repeat steps no. 4 – 6 to enable and configure audit logs for other Amazon OpenSearch clusters available within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-log-group command (OSX/Linux/UNIX) to create a new Amazon CloudWatch Logs log group within the selected AWS region (the command does not produce an output):

aws logs create-log-group
  --region us-east-1
  --log-group-name /aws/OpenSearchService/domains/trendmicro

02 Run describe-log-groups command (OSX/Linux/UNIX) to describe the Amazon Resource Name (ARN) of the log group created at the previous step:

aws logs describe-log-groups
  --region us-east-1
  --log-group-name /aws/OpenSearchService/domains/trendmicro
  --query 'logGroups[*].arn'

03 The command output should return the requested log group ARN:

[
	"arn:aws:logs:us-east-1:123456789012:log-group:/aws/OpenSearchService/domains/trendmicro:*",
]

04 Run put-resource-policy command (OSX/Linux/UNIX) to give the Amazon OpenSearch service the permissions to write to the newly created log group:

aws logs put-resource-policy
  --region us-east-1
  --policy-name cc-audit-logs-policy
  --policy-document '{ "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Principal": { "Service": "es.amazonaws.com"}, "Action":[ "logs:PutLogEvents","logs:CreateLogStream"],"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/OpenSearchService/domains/trendmicro:*"}]}'

05 The command output should return the implemented access policy (JSON format):

{
	"resourcePolicy": {
		"policyName": "cc-elasticsearch-audit-logs-policy",
		"policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Sid\": \"\", \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"es.amazonaws.com\"}, \"Action\":[ \"logs:PutLogEvents\",\"logs:CreateLogStream\"],\"Resource\": \"arn:aws:logs:us-east-1:123456789012:log-group:/aws/OpenSearchService/domains/trendmicro:*\"}]}",
		"lastUpdatedTime": 1601657014344
	}
}

06 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) to enable and configure audit logs for the selected Amazon OpenSearch cluster:

aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --log-publishing-options "AUDIT_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:/aws/OpenSearchService/domains/trendmicro:*,Enabled=true}"

07 The command output should return the new configuration information available for the modified OpenSearch cluster:

{
	"DomainConfig": {
		"ElasticsearchClusterConfig": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"WarmEnabled": false,
				"DedicatedMasterEnabled": false,
				"InstanceCount": 1,
				"ZoneAwarenessEnabled": false,
				"InstanceType": "t3.small.elasticsearch"
			}
		},
		"VPCOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641218607.34,
				"UpdateVersion": 21,
				"UpdateDate": 1641218607.34
			},
			"Options": {}
		},
		"CognitoOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641218607.34,
				"UpdateVersion": 21,
				"UpdateDate": 1641218607.34
			},
			"Options": {
				"Enabled": false
			}
		},
		"NodeToNodeEncryptionOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"Enabled": false
			}
		},
		"AdvancedSecurityOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"InternalUserDatabaseEnabled": false,
				"Enabled": false
			}
		},
		"DomainEndpointOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"EnforceHTTPS": false,
				"TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07"
			}
		},
		"EBSOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"VolumeSize": 30,
				"VolumeType": "gp2",
				"EBSEnabled": true
			}
		},
		"SnapshotOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"AutomatedSnapshotStartHour": 0
			}
		},
		"ElasticsearchVersion": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": "7.9"
		},
		"LogPublishingOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Processing",
				"CreationDate": 1641216346.828,
				"UpdateVersion": 21,
				"UpdateDate": 1641218607.199
			},
			"Options": {
				"AUDIT_LOGS": {
					"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/OpenSearchService/domains/trendmicro:*",
					"Enabled": true
				}
			}
		},
		"AdvancedOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"override_main_response_version": "false",
				"rest.action.multi.allow_explicit_index": "false",
				"indices.fielddata.cache.size": ""
			}
		},
		"EncryptionAtRestOptions": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": {
				"Enabled": false
			}
		},
		"AccessPolicies": {
			"Status": {
				"PendingDeletion": false,
				"State": "Active",
				"CreationDate": 1641212317.965,
				"UpdateVersion": 5,
				"UpdateDate": 1641213076.849
			},
			"Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}"
		}
	}
}

08 Repeat steps no. 6 and 7 to enable the Audit Logs feature for other Amazon OpenSearch clusters available in the selected AWS region.

09 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Amazon OpenSearch Service FAQs
Monitoring audit logs in Amazon OpenSearch Service

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
update-elasticsearch-domain-config
logs
create-log-group
describe-log-groups
put-resource-policy

Publication date Jun 1, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Enable Audit Logs

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Elasticsearch rules