Skip to main content

More Info:

ElasticSearch domains should be configured to log data to CloudWatch. ElasticSearch domains should be configured with logging enabled with logs sent to CloudWatch for analysis and long-term storage.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

GDPR, HIPAA, ISO27001

Triage and Remediation

  • Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the Elasticsearch logging misconfiguration in AWS:
  1. Log in to your AWS Management Console.
  2. Navigate to the Elasticsearch service.
  3. Select the Elasticsearch domain that you want to remediate.
  4. Click on the “Actions” drop-down menu and select “Modify Domain.”
  5. Scroll down to the “Logging” section and ensure that the “Enabled” option is selected.
  6. In the “Log Publishing Options” section, select the desired log types that you want to publish to CloudWatch Logs.
  7. In the “Log Publishing Options” section, select the desired log retention period.
  8. Click on the “Submit” button to save the changes.
Once you have completed these steps, Elasticsearch logging will be enabled for the selected Elasticsearch domain, and logs will be published to CloudWatch Logs for the selected log types and retention period.

To remediate the ElasticSearch logging misconfiguration in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine or EC2 instance.
  2. Run the following command to enable logging for your ElasticSearch domain: 
aws es update-elasticsearch-domain-config --domain-name <domain-name> --elasticsearch-cluster-config '{"CloudWatchLogsLogGroupArn":"<log-group-arn>","LogPublishingOptions":{"INDEX_SLOW_LOGS":{"CloudWatchLogsLogGroupArn":"<log-group-arn>","Enabled":true},"SEARCH_SLOW_LOGS":{"CloudWatchLogsLogGroupArn":"<log-group-arn>","Enabled":true},"ES_APPLICATION_LOGS":{"CloudWatchLogsLogGroupArn":"<log-group-arn>","Enabled":true},"AUDIT_LOGS":{"CloudWatchLogsLogGroupArn":"<log-group-arn>","Enabled":true}}}'
Replace <domain-name> with the name of your ElasticSearch domain and <log-group-arn> with the ARN of the CloudWatch Logs log group where you want to store your ElasticSearch logs.
  1. Verify that logging is enabled by running the following command:
aws es describe-elasticsearch-domain-config --domain-name <domain-name>
This will return the current configuration of your ElasticSearch domain. Check that the LogPublishingOptions property has the correct values for each log type.
  1. Wait for a few minutes for the changes to take effect and start seeing the logs in your CloudWatch Logs log group.
By following these steps, you have successfully remediated the ElasticSearch logging misconfiguration in AWS using AWS CLI.
To remediate the misconfiguration of ElasticSearch not having logging enabled in AWS using Python, you can follow these steps:
  1. Install the AWS SDK for Python (Boto3) using pip:
pip install boto3
  1. Create an AWS ElasticSearch client using Boto3:
import boto3

es_client = boto3.client('es')
  1. Check if logging is enabled for the ElasticSearch domain:
domain_name = 'your-domain-name'

logging_config = es_client.describe_elasticsearch_domain_config(
    DomainName=domain_name,
    DeploymentName='log-publishing'
)['DomainConfig']['LogPublishingOptions']

if logging_config:
    print('Logging is already enabled for the ElasticSearch domain.')
else:
    print('Logging is not enabled for the ElasticSearch domain.')
  1. If logging is not enabled, enable it by updating the ElasticSearch domain configuration:
logging_config = {
    'ES_APPLICATION_LOGS': {
        'CloudWatchLogsLogGroupArn': 'your-log-group-arn',
        'Enabled': True
    }
}

response = es_client.update_elasticsearch_domain_config(
    DomainName=domain_name,
    LogPublishingOptions=logging_config
)

print('Logging has been enabled for the ElasticSearch domain.')
Note: You will need to replace your-domain-name and your-log-group-arn with your own domain name and CloudWatch Logs log group ARN, respectively.

Additional Reading:

I