Elasticsearch Logs Disabled
- Query id: a1120ee4-a712-42d9-8fb5-22595fed643b
- Query name: Elasticsearch Logs Disabled
- Platform: Pulumi
- Severity: Medium
- Category: Observability
- CWE: Ongoing
- URL: Github
Description¶
AWS Elasticsearch should have logs enabled
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
exampleLogGroup:
type: aws:cloudwatch:LogGroup
exampleLogResourcePolicy:
type: aws:cloudwatch:LogResourcePolicy
properties:
policyName: example
policyDocument: ${examplePolicyDocument.json}
exampleDomain:
type: aws:elasticsearch:Domain
properties:
elasticsearchVersion: "7.10"
elasticsearchClusterConfig:
instanceType: "t2.small.elasticsearch"
instanceCount: 1
ebsOptions:
ebsEnabled: true
volumeType: "gp2"
volumeSize: 10
variables:
examplePolicyDocument:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- es.amazonaws.com
actions:
- logs:PutLogEvents
- logs:PutLogEventsBatch
- logs:CreateLogStream
resources:
- arn:aws:logs:*
Positive test num. 2 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
exampleLogGroup:
type: aws:cloudwatch:LogGroup
exampleLogResourcePolicy:
type: aws:cloudwatch:LogResourcePolicy
properties:
policyName: example
policyDocument: ${examplePolicyDocument.json}
exampleDomain:
type: aws:elasticsearch:Domain
properties:
logPublishingOptions:
- cloudwatchLogGroupArn: ${exampleLogGroup.arn}
logType: INDEX_SLOW_LOGS
- cloudwatchLogGroupArn: ${exampleLogGroup.arn}
logType: SEARCH_SLOW_LOGS
enabled: true
variables:
examplePolicyDocument:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- es.amazonaws.com
actions:
- logs:PutLogEvents
- logs:PutLogEventsBatch
- logs:CreateLogStream
resources:
- arn:aws:logs:*
Positive test num. 3 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
exampleLogGroup:
type: aws:cloudwatch:LogGroup
exampleLogResourcePolicy:
type: aws:cloudwatch:LogResourcePolicy
properties:
policyName: example
policyDocument: ${examplePolicyDocument.json}
exampleDomain:
type: aws:elasticsearch:Domain
properties:
logPublishingOptions:
- cloudwatchLogGroupArn: ${exampleLogGroup.arn}
logType: INDEX_SLOW_LOGS
enabled: false
variables:
examplePolicyDocument:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- es.amazonaws.com
actions:
- logs:PutLogEvents
- logs:PutLogEventsBatch
- logs:CreateLogStream
resources:
- arn:aws:logs:*
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: aws-eks
runtime: yaml
description: An EKS cluster
resources:
exampleLogGroup:
type: aws:cloudwatch:LogGroup
exampleLogResourcePolicy:
type: aws:cloudwatch:LogResourcePolicy
properties:
policyName: example
policyDocument: ${examplePolicyDocument.json}
exampleDomain:
type: aws:elasticsearch:Domain
properties:
logPublishingOptions:
- cloudwatchLogGroupArn: ${exampleLogGroup.arn}
logType: INDEX_SLOW_LOGS
enabled: true
variables:
examplePolicyDocument:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- es.amazonaws.com
actions:
- logs:PutLogEvents
- logs:PutLogEventsBatch
- logs:CreateLogStream
resources:
- arn:aws:logs:*