Elasticsearch Logs Disabled

  • Query id: a1120ee4-a712-42d9-8fb5-22595fed643b
  • Query name: Elasticsearch Logs Disabled
  • Platform: Pulumi
  • Severity: Medium
  • Category: Observability
  • CWE: Ongoing
  • URL: Github

Description

AWS Elasticsearch should have logs enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
  exampleLogGroup:
    type: aws:cloudwatch:LogGroup
  exampleLogResourcePolicy:
    type: aws:cloudwatch:LogResourcePolicy
    properties:
      policyName: example
      policyDocument: ${examplePolicyDocument.json}
  exampleDomain:
    type: aws:elasticsearch:Domain
    properties:
      elasticsearchVersion: "7.10"
      elasticsearchClusterConfig:
        instanceType: "t2.small.elasticsearch"
        instanceCount: 1
      ebsOptions:
        ebsEnabled: true
        volumeType: "gp2"
        volumeSize: 10
variables:
  examplePolicyDocument:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            principals:
              - type: Service
                identifiers:
                  - es.amazonaws.com
            actions:
              - logs:PutLogEvents
              - logs:PutLogEventsBatch
              - logs:CreateLogStream
            resources:
              - arn:aws:logs:*
Positive test num. 2 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
  exampleLogGroup:
    type: aws:cloudwatch:LogGroup
  exampleLogResourcePolicy:
    type: aws:cloudwatch:LogResourcePolicy
    properties:
      policyName: example
      policyDocument: ${examplePolicyDocument.json}
  exampleDomain:
    type: aws:elasticsearch:Domain
    properties:
      logPublishingOptions:
        - cloudwatchLogGroupArn: ${exampleLogGroup.arn}
          logType: INDEX_SLOW_LOGS
        - cloudwatchLogGroupArn: ${exampleLogGroup.arn}
          logType: SEARCH_SLOW_LOGS
          enabled: true
variables:
  examplePolicyDocument:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            principals:
              - type: Service
                identifiers:
                  - es.amazonaws.com
            actions:
              - logs:PutLogEvents
              - logs:PutLogEventsBatch
              - logs:CreateLogStream
            resources:
              - arn:aws:logs:*
Positive test num. 3 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
  exampleLogGroup:
    type: aws:cloudwatch:LogGroup
  exampleLogResourcePolicy:
    type: aws:cloudwatch:LogResourcePolicy
    properties:
      policyName: example
      policyDocument: ${examplePolicyDocument.json}
  exampleDomain:
    type: aws:elasticsearch:Domain
    properties:
      logPublishingOptions:
        - cloudwatchLogGroupArn: ${exampleLogGroup.arn}
          logType: INDEX_SLOW_LOGS
          enabled: false
variables:
  examplePolicyDocument:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            principals:
              - type: Service
                identifiers:
                  - es.amazonaws.com
            actions:
              - logs:PutLogEvents
              - logs:PutLogEventsBatch
              - logs:CreateLogStream
            resources:
              - arn:aws:logs:*

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
  exampleLogGroup:
    type: aws:cloudwatch:LogGroup
  exampleLogResourcePolicy:
    type: aws:cloudwatch:LogResourcePolicy
    properties:
      policyName: example
      policyDocument: ${examplePolicyDocument.json}
  exampleDomain:
    type: aws:elasticsearch:Domain
    properties:
      logPublishingOptions:
        - cloudwatchLogGroupArn: ${exampleLogGroup.arn}
          logType: INDEX_SLOW_LOGS
          enabled: true
variables:
  examplePolicyDocument:
    fn::invoke:
      Function: aws:iam:getPolicyDocument
      Arguments:
        statements:
          - effect: Allow
            principals:
              - type: Service
                identifiers:
                  - es.amazonaws.com
            actions:
              - logs:PutLogEvents
              - logs:PutLogEventsBatch
              - logs:CreateLogStream
            resources:
              - arn:aws:logs:*