Elasticsearch domain should send logs to CloudWatch¶

Ensure that AWS OpenSearch Service (OpenSearch Service) domains are configured to send logs to AWS CloudWatch Logs. The rule is compliant if a log is enabled for an OpenSearch Service domain. This rule is non-compliant if logging is not configured.

How to fix¶

Attribute log_publishing_options of aws_elasticsearch_domain must be non-empty.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_elasticsearch_domain.

resource "aws_elasticsearch_domain" "this" {
  advanced_security_options {
    enabled                        = true
    internal_user_database_enabled = true

    master_user_options {
      master_user_name     = "admin"
      master_user_password = "ChangeMe123!"
    }
  }

  cognito_options {
    enabled          = true
    identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
    role_arn         = "arn:aws:iam::123456789012:role/CognitoAccessForAmazonES"
    user_pool_id     = "us-east-1_Example"
  }

  domain_name = "pofix-example"

  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/domains/example"
    log_type                 = "AUDIT_LOGS"
  }

  vpc_options {
    subnet_ids = ["subnet-12345abc"]
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: es_domain_logs_to_cloudwatch

• AWS Config Managed Rule: ELASTICSEARCH_LOGS_TO_CLOUDWATCH

• Powerpipe Controls: aws_compliance.control.es_domain_logs_to_cloudwatch, aws_compliance.control.opensearch_domain_logs_to_cloudwatch