enable-logging
Explanation
AWS ES domain should have logging enabled by default.
Possible Impact
Logging provides vital information about access and usage
Suggested Resolution
Enable logging for ElasticSearch domains
Insecure Example
The following example will fail the aws-elastic-search-enable-logging check.
resource "aws_elasticsearch_domain" "example" {
// other config
// One of the log_publishing_options has to be AUDIT_LOGS
log_publishing_options {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn
log_type = "INDEX_SLOW_LOGS"
}
}
Secure Example
The following example will pass the aws-elastic-search-enable-logging check.
resource "aws_elasticsearch_domain" "example" {
// other config
// At minimum we should have AUDIT_LOGS enabled
log_publishing_options {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn
log_type = "AUDIT_LOGS"
}
}