🛡️ AWS OpenSearch Domain audit logging is not enabled🟢

Contextual name: 🛡️ Domain audit logging is not enabled🟢
ID: /ce/ca/aws/opensearch/domain-audit-logging
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS OpenSearch Domain
- 🔌 AWS OpenSearch Domain - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Opensearch.5] OpenSearch domains should have audit logging enabled
AWS Security Hub: [ES.5] Elasticsearch domains should have audit logging enabled

Description

Description

This policy identifies AWS OpenSearch Domains that are not configured to publish audit logs (AUDIT_LOGS) to Amazon CloudWatch Logs.

Rationale

Audit logs capture user access and activity within an OpenSearch Service domain and are a critical security control for the following purposes:

Forensic Analysis: Enables investigation of user actions, including who accessed specific data and what operations were performed.

Unauthorized Access Detection: Helps identify failed authentication attempts and unauthorized access to restricted indices.

Compliance: Supports adherence to regulatory and industry standards (such as SOC 2, HIPAA, and PCI DSS) that require monitoring and auditing access to sensitive data.

Audit

This policy flags an AWS OpenSearch Service domain as INCOMPLIANT when the Log Publishing Options configuration is either empty or does not have the AUDIT_LOGS option enabled.

Remediation

Open File

Remediation

Enable Audit Log Publishing for OpenSearch Domain

To enable publishing of OpenSearch Service audit logs (AUDIT_LOGS) to Amazon CloudWatch Logs, perform the following steps.

Step 1: Create a CloudWatch Log Group

If a log group does not already exist, create one using the AWS CLI:
aws logs create-log-group \
    --log-group-name {{log-group-name}}
Step 2: Retrieve the Log Group ARN

Obtain the ARN of the log group, which will be required in later steps:
aws logs describe-log-groups \
    --log-group-name-prefix {{log-group-name}} \
    --query logGroups[*].arn
Step 3: Grant OpenSearch Service Permission to Write Logs

Attach a resource-based policy to CloudWatch Logs that allows OpenSearch Service to create log streams and publish log events. Replace the placeholders with your actual values.
aws logs put-resource-policy \
    --policy-name {{opensearch-log-publishing-policy}} \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.5] Elasticsearch domains should have audit logging enabled			1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.5] OpenSearch domains should have audit logging enabled			1	no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			75	no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	31	no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37	no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16	no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			16	no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			15	no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		73	no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27	no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	56	no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			23	no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		27	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			21	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			31	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			26	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		37	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			16	no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			73	no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		27	no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			50	no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			65	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180	no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			27	no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			100	no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			50	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181	no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			45	no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			59	no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			60	no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			46	no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	21	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			17	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	24	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		26	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	37	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			16	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		15	no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	73	no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		27	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			34	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			12	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			11	no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			16	no data
💼 PCI DSS v3.2.1 → 💼 10.2 Implement automated audit trails for all system components.	7	6	33	no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			9	no data
💼 PCI DSS v4.0.1 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7		32	no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9	no data
💼 PCI DSS v4.0 → 💼 10.2.1 Audit logs are enabled and active for all system components and cardholder data.	7	1	32	no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		9	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Enable Audit Log Publishing for OpenSearch Domain​

Step 1: Create a CloudWatch Log Group​

Step 2: Retrieve the Log Group ARN​

Step 3: Grant OpenSearch Service Permission to Write Logs​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Enable Audit Log Publishing for OpenSearch Domain

Step 1: Create a CloudWatch Log Group

Step 2: Retrieve the Log Group ARN

Step 3: Grant OpenSearch Service Permission to Write Logs

policy.yaml

Linked Framework Sections