Skip to content

Enable 'read_metatadata_only'

Description

If your Amazon Elasticsearch domain uses fine-grained access control, you can enable audit logs for your data.

Audit logs are highly customizable and let you track user activity on your Elasticsearch clusters, including authentication success and failures, requests to Amazon Elasticsearch, index changes, and incoming search queries.

By enabling the read_metadata_only field, you can limit the data that will be logged upon a read event. This will prevent potentially sensitive information from being leaked into your Amazon Elasticsearch logs.

For information about Amazon Elasticsearch logging, please refer to the Audit Logs documentation.

Rationale

Enable the read_metadata_only field to avoid leaking information in Amazon Elasticsearch documents to your logs.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

const { isAwsElasticsearch, getElasticSearchDomainLogPublishingOptions, getElasticSearchDomainAuditLogsConfiguration } = aws
/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if read metadata only is enabled
 */
function validate(databaseSettings) {

    const auditLogsEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings).auditLogs &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings).auditLogs.enabled

    const readMetadataOnlyEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings).compliance.readMetadataOnly

    const success = auditLogsEnabled && readMetadataOnlyEnabled


    return {
        success,
    }
}

// invoke
validate(databaseSettings);