AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Opensearch Audit Logging Should Be Enabled
More Info:
Ensure audit logging is enabled for opensearch cluster
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
CBP,GDPR,HIPAA,ISO27001,SEBI,RBI_UCB
Triage and Remediation
Remediation
To remediate the misconfiguration of Opensearch Audit Logging not being enabled in AWS OpenSearch, follow these steps using the AWS Management Console:
-
Navigate to the Amazon OpenSearch Service Console: Go to the AWS Management Console and search for “OpenSearch Service” in the services search bar. Click on the service to open the Amazon OpenSearch Service Console.
-
Select the Domain: From the list of domains, select the domain for which you want to enable Audit Logging.
-
Enable Audit Logging: In the domain dashboard, click on the “Configure access and security” tab in the left-hand navigation menu.
-
Edit the Advanced Security Settings: Under the “Advanced security settings” section, click on the “Edit” button.
-
Enable Audit Logs: Scroll down to the “Logging” section and toggle the switch to enable “Log publishing” for audit logs.
-
Configure Log Publishing: Configure the destination for the audit logs. You can choose to send logs to Amazon CloudWatch Logs, Amazon S3, or both.
-
Save Changes: Click on the “Save” button to apply the changes and enable Audit Logging for the OpenSearch domain.
-
Verify Audit Logging: To verify that Audit Logging is enabled, you can check the status in the domain dashboard or navigate to the chosen destination (CloudWatch Logs or S3) to ensure that the audit logs are being published successfully.
By following these steps, you have successfully remediated the misconfiguration of Opensearch Audit Logging not being enabled in AWS OpenSearch.
To remediate the misconfiguration of enabling audit logging for AWS OpenSearch using AWS CLI, follow these steps:
-
Enable Audit Logging: Use the following AWS CLI command to enable audit logging for your AWS OpenSearch domain:
aws opensearchservice update-domain-config --domain-name <your-domain-name> --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true,AuditLogEnabled=trueReplace
<your-domain-name>with the name of your AWS OpenSearch domain. -
Verify Audit Logging: After running the command, verify that audit logging is enabled for your AWS OpenSearch domain by checking the domain configuration settings:
aws opensearchservice describe-domain-config --domain-name <your-domain-name> --output jsonEnsure that the
AuditLogEnabledparameter is set totruein the output. -
Monitor Audit Logs: Once audit logging is enabled, monitor the audit logs to ensure that all relevant activities are being logged appropriately. You can access the audit logs through the AWS Management Console or by using the AWS CLI.
By following these steps, you can successfully remediate the misconfiguration of enabling audit logging for AWS OpenSearch using AWS CLI.
To remediate the misconfiguration of enabling Audit Logging for AWS OpenSearch using Python, you can follow these steps:
Step 1: Install boto3 library
pip install boto3
Step 2: Use the following Python script to enable Audit Logging for AWS OpenSearch:
import boto3
def enable_audit_logging(domain_name):
client = boto3.client('es')
response = client.update_domain_config(
DomainName=domain_name,
AdvancedSecurityOptions={
'AuditLogs': {
'AuditLogRoleArn': 'arn:aws:iam::123456789012:role/OpenSearch-Audit-Role',
'Enabled': True
}
}
)
print(response)
# Replace 'your-domain-name' with the actual name of your OpenSearch domain
enable_audit_logging('your-domain-name')
Step 3: Replace 'your-domain-name' with the actual name of your OpenSearch domain in the script.
Step 4: Replace 'arn:aws:iam::123456789012:role/OpenSearch-Audit-Role' with the ARN of the IAM role that should have permission to write audit logs.
Step 5: Run the Python script. This will enable Audit Logging for the specified OpenSearch domain.
After following these steps, Audit Logging should be successfully enabled for your AWS OpenSearch domain.