Domain logging should be enabled for Elastic Search domains
Default Severity: medium
Explanation
Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs, search slow logs, index slow logs, and audit logs.
Search slow logs, index slow logs, and error logs are useful for troubleshooting performance and stability issues.
Audit logs track user activity for compliance purposes.
All the logs are disabled by default.
Possible Impact
Logging provides vital information about access and usage
Suggested Resolution
Enable logging for ElasticSearch domains
Insecure Example
The following example will fail the aws-elastic-search-enable-domain-logging check.
resource "aws_elasticsearch_domain" "bad_example" {
domain_name = "example"
elasticsearch_version = "1.5"
}
Secure Example
The following example will pass the aws-elastic-search-enable-domain-logging check.
resource "aws_elasticsearch_domain" "good_example" {
domain_name = "example"
elasticsearch_version = "1.5"
log_publishing_options {
cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn
log_type = "AUDIT_LOGS"
enabled = true
}
}