Skip to content

Enable 'read_metatadata_only'


If your Amazon Elasticsearch domain uses fine-grained access control, you can enable audit logs for your data.

Audit logs are highly customizable and let you track user activity on your Elasticsearch clusters, including authentication success and failures, requests to Amazon Elasticsearch, index changes, and incoming search queries.

By enabling the read_metadata_only field, you can limit the data that will be logged upon a read event. This will prevent potentially sensitive information from being leaked into your Amazon Elasticsearch logs.

For information about Amazon Elasticsearch logging, please refer to the Audit Logs documentation.


Enable the read_metadata_only field to avoid leaking information in Amazon Elasticsearch documents to your logs.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

const { isAwsElasticsearch, getElasticSearchDomainLogPublishingOptions, getElasticSearchDomainAuditLogsConfiguration } = aws
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if read metadata only is enabled
function validate(databaseSettings) {

    const auditLogsEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings).auditLogs &&

    const readMetadataOnlyEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings) &&

    const success = auditLogsEnabled && readMetadataOnlyEnabled

    return {

// invoke