ElasticSearch Without Audit Logs
- Query id: c420748a-bd4a-46c8-9541-93dd1e0ccf38
- Query name: ElasticSearch Without Audit Logs
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
Ensure that AWS Elasticsearch enables support for audit logs
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: "false"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::OpenSearchService::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn:
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": "false"
}
}
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"ES_APPLICATION_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs",
"Enabled": "true"
}
}
}
}
}
}
Positive test num. 5 - json file
Positive test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": false
}
}
}
}
}
}
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs"
}
}
}
}
}
}
Positive test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": "false"
}
}
}
}
}
}
Positive test num. 9 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"ES_APPLICATION_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs",
"Enabled": "true"
}
}
}
}
}
}
Positive test num. 10 - json file
Positive test num. 11 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": false
}
}
}
}
}
}
Positive test num. 12 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
Enabled: "true"
Positive test num. 13 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs"
}
}
}
}
}
}
Positive test num. 14 - yaml file
Positive test num. 15 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: false
Positive test num. 16 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn:
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Positive test num. 17 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::OpenSearchService::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: "false"
Positive test num. 18 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::OpenSearchService::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
Enabled: "true"
Positive test num. 19 - yaml file
Positive test num. 20 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::OpenSearchService::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: false
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: "true"
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ProductionElasticsearch:
Type: "AWS::Elasticsearch::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
"AUDIT_LOGS":
CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchIndexSlowLogs.Arn
Enabled: true
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Sample
Resources:
ElasticsearchDomain:
Type: "AWS::OpenSearchService::Domain"
Properties:
DomainName:
Ref: DomainName
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: >-
arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
Enabled: "true"
Negative test num. 4 - yaml file
Negative test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": "true"
}
}
}
}
}
}
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": true
}
}
}
}
}
}
Negative test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": "true"
}
}
}
}
}
}
Negative test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Sample",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": {
"Ref": "DomainName"
},
"LogPublishingOptions": {
"AUDIT_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": true
}
}
}
}
}
}