Skip to content

Enable 'write_log_diffs'


If your Amazon Elasticsearch domain uses fine-grained access control then audit logs are available for your domain. Audit logs are highly customizable and let you track user activity on your Elasticsearch clusters, including authentication success and failures, requests to Amazon Elasticsearch, index changes, and incoming search queries.

For information about Amazon Elasticsearch logging, please refer to the Audit Logs documentation.


When write_metadata_only is disabled, then you risk potentially sensitive information being leaked into your Amazon Elasticsearch logs. Enable write_log_diffs to limit the amount of information leaked into your logs.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

const { isAwsElasticsearch, getElasticSearchDomainLogPublishingOptions, getElasticSearchDomainAuditLogsConfiguration } = aws

 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if write log diffs is enabled
function validate(databaseSettings) {

    const auditLogsEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings) &&
        getElasticSearchDomainLogPublishingOptions(databaseSettings).auditLogs &&

    const writeMetadataOnly = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings) &&

    const writeLogDiffsEnabled = isAwsElasticsearch(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings) &&
        getElasticSearchDomainAuditLogsConfiguration(databaseSettings).enabled &&

    let success

    if (writeMetadataOnly) {
        success = true
    } else {
        success = auditLogsEnabled  && writeLogDiffsEnabled

    return {

// invoke