Profile Applicability:

  • Level 1


Description:

This control ensures that all Amazon Elasticsearch Service (now Amazon OpenSearch Service) domains have audit, index slow, search slow, and error logs enabled and delivered to Amazon CloudWatch Logs. Enabling these logs provides deep visibility into search, indexing, and security events, allowing administrators to monitor access patterns, troubleshoot performance issues, and detect unauthorized or suspicious activities.


Rationale:

Logging is a key security and operational requirement for maintaining transparency, auditing, and incident response readiness. Enabling OpenSearch domain logs helps:

  • Track configuration and access changes.
  • Detect unusual query patterns or unauthorized access attempts.
  • Support forensic investigations and compliance evidence collection.

Without proper logging, organizations lack visibility into search engine activity, which may hinder troubleshooting, incident response, and compliance with frameworks such as SOC 2, ISO 27001, and CIS Benchmarks.


Impact:

  • Positive Impact:Enhances monitoring and forensic analysis capabilities.Provides audit trails for compliance and security reviews.Improves visibility into performance bottlenecks (via slow logs).
  • Negative Impact:May incur additional CloudWatch storage costs.Minor performance impact due to logging overhead.


Default Value:

By default, Amazon OpenSearch Service domains do not have logging enabled. Each log type (error, audit, search slow, and index slow) must be configured manually.


Pre-Requisite:

  • The OpenSearch domain must exist and be active.

  • A CloudWatch Logs group must be created in the same region as the OpenSearch domain.

  • IAM permissions required: es:UpdateDomainConfig, logs:CreateLogGroup, and logs:PutResourcePolicy.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to Amazon OpenSearch Service → Domains.
  3. Select a domain.
  4. Under Logs, verify that the following logs are enabled:
    • Audit logs (for fine-grained access control and compliance tracking)
    • Error logs
    • Search slow logs
    • Index slow logs
  5. Ensure each log is configured to deliver to a CloudWatch Logs group.
  6. If any log type is disabled, enable it and specify an existing or new CloudWatch Logs group.


Implementation Plan

Using AWS Console:

  1. Navigate to Amazon OpenSearch Service → Domains.

  2. Choose the desired domain.

  3. Select the Logs tab.

  4. Under Audit logs, Search slow logs, Index slow logs, and Error logs, enable each option.

  5. For each log type:

    • Choose Enable.

    • Select a CloudWatch Logs group.

    • Choose an appropriate IAM role with permissions to write logs.

  6. Click Save changes to apply the configuration.


Backout Plan

Using AWS Console:

  1. Go to Amazon OpenSearch Service → Domains → Logs.
  2. Deselect any logging options you want to disable.
  3. Save changes to apply the updated configuration.


References: