Skip to content

Enable 'write_log_diffs'

Description

If your Amazon Elasticsearch domain uses fine-grained access control then audit logs are available for your domain. Audit logs are highly customizable and let you track user activity on your Elasticsearch clusters, including authentication success and failures, requests to Amazon Elasticsearch, index changes, and incoming search queries.

For information about Amazon Elasticsearch logging, please refer to the Audit Logs documentation.

Rationale

When write_metadata_only is disabled, then you risk potentially sensitive information being leaked into your Amazon Elasticsearch logs. Enable write_log_diffs to limit the amount of information leaked into your logs.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

const { isAwsElasticsearch, getElasticSearchDomainLogPublishingOptions, getElasticSearchDomainAuditLogsConfiguration } = aws

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if write log diffs is enabled
 */
function validate(databaseSettings) {

    const auditLogsEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings).auditLogs &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings).auditLogs.enabled

    const writeMetadataOnly = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings).compliance.writeMetadataOnly

    const writeLogDiffsEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings).enabled &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings).compliance.writeLogDiffs

    let success

    if (writeMetadataOnly) {
        success = true
    } else {
        success = auditLogsEnabled  && writeLogDiffsEnabled
    }

    return {
        success,
    }
}

// invoke
validate(databaseSettings);