Profile Applicability:

  • Level 1

Description:

Amazon Elasticsearch Service (Amazon ES) and Amazon OpenSearch Service are managed services for running Elasticsearch and OpenSearch clusters. Audit logging allows you to monitor and log access to the cluster, including who accessed the data, what actions they performed, and when. Enabling audit logging for your domains helps with tracking suspicious activities, ensuring compliance, and maintaining accountability for actions performed within your domain. This SOP ensures that audit logging is enabled for Elasticsearch/OpenSearch domains to capture critical security-related events.

Rationale:

  • Security Monitoring: Audit logging provides a way to monitor for suspicious activity and access patterns, helping detect unauthorized access or misuse of resources.

  • Compliance: Many regulatory frameworks (e.g., HIPAA, SOC 2, GDPR) require comprehensive logging and auditing of user actions to ensure compliance with data protection and privacy regulations.

  • Accountability: By enabling audit logs, you can track changes made to the cluster and identify the users responsible for specific actions, improving accountability.

Impact:

Pros:

  • Enhanced Security: Allows detailed tracking of user actions, which is crucial for detecting unauthorized access or misuse.

  • Audit Trails for Compliance: Provides logs for auditing purposes, helping meet regulatory requirements.

  • Visibility: Increases visibility into who accessed the domain and what actions they performed, facilitating incident response.

Cons:

  • Storage Overhead: Audit logs can generate large amounts of data, which may lead to higher storage costs depending on log volume.

  • Potential Performance Impact: While generally minimal, enabling audit logging may have a slight performance impact due to the extra logging overhead.

Default Value:

By default, audit logging is disabled for Amazon Elasticsearch/OpenSearch domains. It must be explicitly enabled during domain configuration or after the domain has been created.

Pre-requisite:

  • AWS IAM Permissions:

    • es:DescribeDomain

    • es:UpdateDomainConfig

    • es:CreateDomain

  • AWS CLI installed and configured.

  • Amazon Elasticsearch/OpenSearch domain created or in the process of being created.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon OpenSearch Service under Services.

  3. In the OpenSearch Console, go to Domains and select the domain you want to check.

  4. Under the Domain details, scroll down to the Audit Logging section.

  5. Check if Audit Logging is enabled.

    • If enabled, it will show the S3 bucket or CloudWatch log destination where logs are stored.

    • If disabled, the setting will need to be enabled.

Using AWS CLI:

To check if audit logging is enabled for a specific OpenSearch domain, run:

aws opensearch describe-domain --domain-name <domain-name> --query "DomainStatus.AdvancedOptions"

  1. Look for the audit_logging_enabled field:

    • If true, audit logging is enabled.

    • If false, audit logging is not enabled.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Amazon OpenSearch Service.

  2. Go to Domains and select the domain for which you want to enable audit logging.

  3. In the Domain details section, click Modify.

  4. Scroll down to the Audit Logging section.

  5. Enable Audit Logging by selecting Enable.

  6. Choose either S3 bucket or CloudWatch Logs as the destination for audit logs.

  7. Save the changes to apply the updated configuration.

Using AWS CLI:

To enable audit logging, run the following command:

aws opensearch update-domain-config \

  --domain-name <domain-name> \

  --advanced-options "audit_logging_enabled=true,audit_log_destination=<s3-bucket-or-cloudwatch-log-group>"

After enabling, verify the audit logging status by running:

aws opensearch describe-domain --domain-name <domain-name> --query "DomainStatus.AdvancedOptions"

Backout Plan:

If enabling audit logging causes issues (e.g., performance degradation or unexpected costs):

Revert the changes by disabling audit logging:

aws opensearch update-domain-config --domain-name <domain-name> --advanced-options "audit_logging_enabled=false"

  1. Monitor the domain to ensure that the issue is resolved and that logging is disabled.

Note :

  • Log Management: Ensure that logs are regularly rotated or archived to prevent storage costs from growing too high, especially if logs are stored in S3.

  • CloudWatch Integration: If using CloudWatch for audit logs, ensure that appropriate CloudWatch log groups and log stream permissions are in place.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.