Detections
Analytics

Ensure slow logs (index slow logs) are enabled for AWS ElasticSearch Domain

MEDIUM

Description

Disabling slow logs may cause loss of insights into performance issues.

Remediation

In AWS Console -

  1. Sign in to the AWS Management Console and go to Amazon ES console.
  2. Select the domain you want.
  3. Open the Logs tab.
  4. Under Set up Search slow logs, choose Setup. You can choose to Create new log group or Use existing log group.

In Terraform -

  1. In the aws_elasticsearch_domain resource, create a log_publishing_options block.
  2. Set the log_publishing_options.cloudwatch_log_group_arn field to an appropriate CloudWatch ARN ID.
  3. Set the log_publishing_options.enabled field to true.
  4. Set the log_publishing_options.log_type to INDEX_SLOW_LOGS.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options

Policy Details

Rule Reference ID: AC_AWS_0105
CSP: AWS
Remediation Available: Yes
Domain: Compliance Validation
Resource: aws_elasticsearch_domain
Resource Category: Analytics
Resource Type: ElasticSearch Service

Frameworks