Skip to content

Configure Audit Logs

Description

Amazon Elasticsearch Audit Logs allows you to log the user activity on your Elasticsearch clusters, including a history of user authentication success and failures, requests to Elasticsearch, modifications to indices, incoming search queries and much more. Audit Logs provides a default configuration that covers a popular set of user actions to be tracked. Administrators can further configure and fine tune the settings to meet their needs. Audit Logs is integrated with Fine Grained Access Control, allowing you the ability to log access or modification requests to sensitive documents or fields, to meet any compliance requirements. Once a CloudWatch Group Log is configured, Audit Logs will be continuously streamed to CloudWatch Logs and can be further analyzed there. Audit Logs settings can be changed at any time and are automatically updated.

For further information about Audit Logs, refer to the Amazon Elasticsearch documentation.

Rationale

Enable Audit Logs to record a trail of all user actions, meet compliance regulations, improve the overall security posture and provide evidence for security investigations.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

const { isAwsElasticsearch } = aws

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if the Audit Logging group is configured
 */
function validate(databaseSettings) {

    const { enabled, logGroupArn } =
        isAwsElasticsearch(databaseSettings) &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.logPublishingOptions &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.logPublishingOptions.auditLogs || {}

    const success = enabled && !!logGroupArn // To avoid empty arn

    return {
        success,
    }
}

// invoke
validate(databaseSettings);