Enable Audit Logging for Elasticsearch Domains
Ensures that audit logging is enabled for Elasticsearch domains, providing detailed records of user activities and system changes.
| Rule | Elasticsearch domains should have audit logging enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
Elasticsearch domains should have audit logging enabled to enhance security and comply with AWS Foundational Security Best Practices.
Troubleshooting Steps:
- 1.Check the current configuration of the Elasticsearch domain to see if audit logging is enabled.
- 2.Review the Elasticsearch domain access policies to ensure that audit logging is allowed.
- 3.Verify that the Elasticsearch domain is properly integrated with AWS CloudWatch for logging and monitoring.
Necessary Codes:
To enable audit logging for an Elasticsearch domain, you can use the AWS SDK or AWS CLI. Here is an example of AWS CLI command:
aws es update-elasticsearch-domain-config --domain-name your-domain-name --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true,AuditLogsEnabled=true
Make sure to replace
your-domain-nameStep-by-Step Guide for Remediation:
- 1.Log in to the AWS Management Console.
- 2.Navigate to the Amazon Elasticsearch Service console.
- 3.Click on the Elasticsearch domain that you want to enable audit logging for.
- 4.In the domain settings, locate the configuration options.
- 5.Find the section related to advanced security options.
- 6.Enable audit logging by setting the
parameter toAuditLogsEnabled
.true - 7.Save the configuration changes.
- 8.Monitor the domain to ensure that audit logging is functioning correctly.
By following these steps and enabling audit logging for your Elasticsearch domain, you can enhance security and adhere to AWS Foundational Security Best Practices.