Description
This policy identifies AWS OpenSearch Domains that are not configured to publish error logs (ES_APPLICATION_LOGS) to Amazon CloudWatch Logs.
Rationaleβ
AWS OpenSearch Service error logs provide critical visibility into errors and warnings generated by domain nodes. Enabling these logs is essential for the following reasons:
- Incident Response: Facilitates rapid identification and troubleshooting of issues that may lead to service disruptions or failed queries.
- Cluster Health Monitoring: Helps detect internal warnings and anomalies that could indicate potential stability or performance issues before they escalate.
Auditβ
This policy flags an AWS OpenSearch Service domain as INCOMPLIANT when the Log Publishing Options configuration is either empty or does not have the ES_APPLICATION_LOGS option enabled.