🛡️ AWS OpenSearch Domain error logging is not enabled🟢

• Contextual name: 🛡️ Domain error logging is not enabled🟢
• ID: /ce/ca/aws/opensearch/domain-error-logging
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS OpenSearch Domain
  • 🔌 AWS OpenSearch Domain - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
• AWS Security Hub: [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled

Description

Open File

Description

This policy identifies AWS OpenSearch Domains that are not configured to publish error logs (ES_APPLICATION_LOGS) to Amazon CloudWatch Logs.

Rationale

AWS OpenSearch Service error logs provide critical visibility into errors and warnings generated by domain nodes. Enabling these logs is essential for the following reasons:

1. Incident Response: Facilitates rapid identification and troubleshooting of issues that may lead to service disruptions or failed queries.
2. Cluster Health Monitoring: Helps detect internal warnings and anomalies that could indicate potential stability or performance issues before they escalate.

Audit

This policy flags an AWS OpenSearch Service domain as INCOMPLIANT when the Log Publishing Options configuration is either empty or does not have the ES_APPLICATION_LOGS option enabled.

Remediation

Open File

Remediation

Enable Error Log Publishing for OpenSearch Domain

To enable publishing of OpenSearch Service error logs (ES_APPLICATION_LOGS) to Amazon CloudWatch Logs, perform the following steps.

Step 1: Create a CloudWatch Log Group

If a log group does not already exist, create one using the AWS CLI:

aws logs create-log-group \
    --log-group-name {{log-group-name}}

Step 2: Retrieve the Log Group ARN

Obtain the ARN of the log group, which will be required in later steps:

aws logs describe-log-groups \
    --log-group-name-prefix {{log-group-name}}
    --query logGroups[*].arn

Step 3: Grant OpenSearch Service Permission to Write Logs

Attach a resource-based policy to CloudWatch Logs that allows OpenSearch Service to create log streams and publish log events. Replace cw_log_group_arn with your actual log group ARN.

aws logs put-resource-policy \
    --policy-name {{opensearch-log-publishing-policy}} \
    --policy-document '{
        "Version": "2012-10-17",
        "Statement": [
            {

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled			1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			71		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			18		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	28		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			22		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		33		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			13		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			13		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			12		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		69		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	53		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			22		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			19		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			69		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		22		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			18		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			28		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			22		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		33		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			69		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		22		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			44		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			59		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			161		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			22		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			94		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			162		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			36		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			50		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			51		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			40		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			39		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	18		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		22		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		12		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	69		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		22		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			9		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			13		no data