Skip to main content

πŸ›‘οΈ AWS OpenSearch Domain audit logging is not enabled🟒

  • Contextual name: πŸ›‘οΈ Domain audit logging is not enabled🟒
  • ID: /ce/ca/aws/opensearch/domain-audit-logging
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS OpenSearch Domains that are not configured to publish audit logs (AUDIT_LOGS) to Amazon CloudWatch Logs.

Rationale​

Audit logs capture user access and activity within an OpenSearch Service domain and are a critical security control for the following purposes:

  1. Forensic Analysis: Enables investigation of user actions, including who accessed specific data and what operations were performed.
  2. Unauthorized Access Detection: Helps identify failed authentication attempts and unauthorized access to restricted indices.
  3. Compliance: Supports adherence to regulatory and industry standards (such as SOC 2, HIPAA, and PCI DSS) that require monitoring and auditing access to sensitive data.

Audit​

This policy flags an AWS OpenSearch Service domain as INCOMPLIANT when the Log Publishing Options configuration is either empty or does not have the AUDIT_LOGS option enabled.

Remediation​

Open File

Remediation​

Enable Audit Log Publishing for OpenSearch Domain​

To enable publishing of OpenSearch Service audit logs (AUDIT_LOGS) to Amazon CloudWatch Logs, perform the following steps.

Step 1: Create a CloudWatch Log Group​

If a log group does not already exist, create one using the AWS CLI:

aws logs create-log-group \
    --log-group-name {{log-group-name}}
Step 2: Retrieve the Log Group ARN​

Obtain the ARN of the log group, which will be required in later steps:

aws logs describe-log-groups \
    --log-group-name-prefix {{log-group-name}} \
    --query logGroups[*].arn
Step 3: Grant OpenSearch Service Permission to Write Logs​

Attach a resource-based policy to CloudWatch Logs that allows OpenSearch Service to create log streams and publish log events. Replace the placeholders with your actual values.

aws logs put-resource-policy \
    --policy-name {{opensearch-log-publishing-policy}} \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.5] Elasticsearch domains should have audit logging enabled1no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.5] OpenSearch domains should have audit logging enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration78no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)832no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)27no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)139no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6(4) Central Review and Analysis (H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-10 Non-repudiation (H)16no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)274no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)228no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4957no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)27no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)74no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)128no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)23no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)32no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)27no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-3 Content of Audit Records (L)(M)(H)139no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6(3) Correlate Audit Record Repositories (M)(H)17no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)74no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CA-7 Continuous Monitoring (L)(M)(H)228no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources66no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events185no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-02: The physical environment is monitored to find potentially adverse events28no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events105no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events51no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events182no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations47no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties62no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities62no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded47no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked50no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1523no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(26) Information Flow Enforcement _ Audit Filtering Actions18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6(9) Least Privilege _ Log Use of Privileged Functions1725no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging427no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-3 Content of Audit Records31539no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-10 Non-repudiation516no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44874no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-7 Continuous Monitoring628no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic35no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4(20) System Monitoring _ Privileged Users12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events17no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2 Implement automated audit trails for all system components.7633no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.732no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.19no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.7132no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.19no data