ElasticSearch Without Slow Logs
- Query id: 086ea2eb-14a6-4fd4-914b-38e0bc8703e8
- Query name: ElasticSearch Without Slow Logs
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
Ensure that AWS Elasticsearch enables support for slow logs
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
ElasticsearchVersion:
Ref: ElasticsearchVersion
ElasticsearchClusterConfig:
InstanceCount: "1"
InstanceType:
Ref: InstanceType
EBSOptions:
EBSEnabled: "true"
Iops: 0
VolumeSize: 10
VolumeType: standard
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*"
Action: "es:*"
Resource: "*"
LogPublishingOptions:
SEARCH_SLOW_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: "false"
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
Enabled: "true"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
ElasticsearchVersion:
Ref: ElasticsearchVersion
ElasticsearchClusterConfig:
InstanceCount: "1"
InstanceType:
Ref: InstanceType
EBSOptions:
EBSEnabled: "true"
Iops: 0
VolumeSize: 10
VolumeType: standard
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*"
Action: "es:*"
Resource: "*"
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
Enabled: "true"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
ElasticsearchVersion:
Ref: ElasticsearchVersion
ElasticsearchClusterConfig:
InstanceCount: "1"
InstanceType:
Ref: InstanceType
EBSOptions:
EBSEnabled: "true"
Iops: 0
VolumeSize: 10
VolumeType: standard
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*"
Action: "es:*"
Resource: "*"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ElasticsearchDomain resource",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"ElasticsearchVersion": {
"Ref": "ElasticsearchVersion"
},
"ElasticsearchClusterConfig": {
"InstanceCount": "1",
"InstanceType": {
"Ref": "InstanceType"
}
},
"EBSOptions": {
"Iops": 0,
"VolumeSize": 10,
"VolumeType": "standard",
"EBSEnabled": "true"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Resource": "*",
"Effect": "Deny",
"Principal": {
"AWS": "*"
}
}
]
},
"LogPublishingOptions": {
"SEARCH_SLOW_LOGS": {
"Enabled": "false",
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs"
}
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
}
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ElasticsearchDomain resource",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"ElasticsearchVersion": {
"Ref": "ElasticsearchVersion"
},
"ElasticsearchClusterConfig": {
"InstanceCount": "1",
"InstanceType": {
"Ref": "InstanceType"
}
},
"EBSOptions": {
"Iops": 0,
"VolumeSize": 10,
"VolumeType": "standard",
"EBSEnabled": "true"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Resource": "*",
"Effect": "Deny",
"Principal": {
"AWS": "*"
}
}
]
},
"LogPublishingOptions": {
"ES_APPLICATION_LOGS": {
"Enabled": "true",
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs"
}
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
}
}
}
}
}
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ElasticsearchDomain resource",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"EBSOptions": {
"EBSEnabled": "true",
"Iops": 0,
"VolumeSize": 10,
"VolumeType": "standard"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}
]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"DomainName": {
"Ref": "DomainName"
},
"ElasticsearchVersion": {
"Ref": "ElasticsearchVersion"
},
"ElasticsearchClusterConfig": {
"InstanceCount": "1",
"InstanceType": {
"Ref": "InstanceType"
}
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
ElasticsearchVersion:
Ref: ElasticsearchVersion
ElasticsearchClusterConfig:
InstanceCount: "1"
InstanceType:
Ref: InstanceType
EBSOptions:
EBSEnabled: "true"
Iops: 0
VolumeSize: 10
VolumeType: standard
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*"
Action: "es:*"
Resource: "*"
LogPublishingOptions:
SEARCH_SLOW_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: "true"
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
Enabled: "true"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Negative test num. 2 - json file
{
"document": [
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "ElasticsearchDomain resource",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"DomainName": {
"Ref": "DomainName"
},
"ElasticsearchVersion": {
"Ref": "ElasticsearchVersion"
},
"ElasticsearchClusterConfig": {
"InstanceCount": "1",
"InstanceType": {
"Ref": "InstanceType"
}
},
"EBSOptions": {
"Iops": 0,
"VolumeSize": 10,
"VolumeType": "standard",
"EBSEnabled": "true"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"LogPublishingOptions": {
"SEARCH_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": "true"
},
"INDEX_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs",
"Enabled": "true"
}
}
}
}
},
"id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b",
"file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml"
}
]
}
Negative test num. 3 - yaml file
Resources:
ProductionElasticsearch:
Type: AWS::Elasticsearch::Domain
Properties:
EBSOptions:
EBSEnabled: true
VolumeSize: 70
VolumeType: gp2
ElasticsearchClusterConfig:
DedicatedMasterCount: 3
DedicatedMasterEnabled: true
DedicatedMasterType: omitted
InstanceCount: 3
InstanceType: omitted
ZoneAwarenessConfig:
AvailabilityZoneCount: 3
ZoneAwarenessEnabled: true
ElasticsearchVersion: omitted
LogPublishingOptions:
"INDEX_SLOW_LOGS":
CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchIndexSlowLogs.Arn
Enabled: true
"SEARCH_SLOW_LOGS":
CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchSearchSlowLogs.Arn
Enabled: true
"ES_APPLICATION_LOGS":
CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchApplicationLogs.Arn
Enabled: true