🛡️ AWS OpenSearch Domain audit logging is not enabled🟢

Contextual name: 🛡️ Domain audit logging is not enabled🟢
ID: /ce/ca/aws/opensearch/domain-audit-logging
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS OpenSearch Domain
- 🔌 AWS OpenSearch Domain - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Opensearch.5] OpenSearch domains should have audit logging enabled
AWS Security Hub: [ES.5] Elasticsearch domains should have audit logging enabled

Description

Description

This policy identifies AWS OpenSearch Domains that are not configured to publish audit logs (AUDIT_LOGS) to Amazon CloudWatch Logs.

Rationale

Audit logs capture user access and activity within an OpenSearch Service domain and are a critical security control for the following purposes:

Forensic Analysis: Enables investigation of user actions, including who accessed specific data and what operations were performed.

Unauthorized Access Detection: Helps identify failed authentication attempts and unauthorized access to restricted indices.

Compliance: Supports adherence to regulatory and industry standards (such as SOC 2, HIPAA, and PCI DSS) that require monitoring and auditing access to sensitive data.

Audit

This policy flags an AWS OpenSearch Service domain as INCOMPLIANT when the Log Publishing Options configuration is either empty or does not have the AUDIT_LOGS option enabled.

Remediation

Open File

Remediation

Enable Audit Log Publishing for OpenSearch Domain

To enable publishing of OpenSearch Service audit logs (AUDIT_LOGS) to Amazon CloudWatch Logs, perform the following steps.

Step 1: Create a CloudWatch Log Group

If a log group does not already exist, create one using the AWS CLI:
aws logs create-log-group \
    --log-group-name {{log-group-name}}
Step 2: Retrieve the Log Group ARN

Obtain the ARN of the log group, which will be required in later steps:
aws logs describe-log-groups \
    --log-group-name-prefix {{log-group-name}} \
    --query logGroups[*].arn
Step 3: Grant OpenSearch Service Permission to Write Logs

Attach a resource-based policy to CloudWatch Logs that allows OpenSearch Service to create log streams and publish log events. Replace the placeholders with your actual values.
aws logs put-resource-policy \
    --policy-name {{opensearch-log-publishing-policy}} \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.5] Elasticsearch domains should have audit logging enabled			1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled			1	no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			71	no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			18	no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	28	no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			22	no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		33	no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			13	no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			13	no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			12	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		69	no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	53	no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			22	no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			19	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			69	no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		22	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			18	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			28	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			22	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		33	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			13	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			69	no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22	no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			44	no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			59	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			161	no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			22	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			94	no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			44	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			162	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			36	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			50	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			51	no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			40	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			39	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	18	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			14	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		22	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	33	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			13	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		12	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	69	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		22	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			25	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			9	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			8	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			13	no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	30	no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			7	no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		29	no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		7	no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	29	no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		7	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable Audit Log Publishing for OpenSearch Domain​

Step 1: Create a CloudWatch Log Group​

Step 2: Retrieve the Log Group ARN​

Step 3: Grant OpenSearch Service Permission to Write Logs​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable Audit Log Publishing for OpenSearch Domain

Step 1: Create a CloudWatch Log Group

Step 2: Retrieve the Log Group ARN

Step 3: Grant OpenSearch Service Permission to Write Logs

policy.yaml

Linked Framework Sections