AWS-ES-ElasticSearch-Logging-Enabled

Severity: High

Description: This control ensures that Elasticsearch Service domains have enabled support for publishing slow logs to AWS Cloudwatch Logs. Elasticsearch Service provides support for publishing slow logs to AWS Cloudwatch Logs. In case of any incident, slow logs can help in identifying patterns and anomalies of the Elasticsearch Service cluster.

Remediation Steps:

Perform following to enable logging for ES:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to ES console.

3. In the navigation pane, under My domains, choose the domain that you want to update. 

4. On the Logs tab under the Set up Search slow logs click Setup.

5. Create a CloudWatch log group, or choose an existing one.

6. Choose an appropriate access policy or create a new one using the JSON editor the console provides. 

7. Click Enable.

8. On the Logs tab under Set up Index slow logs section click Setup.

9. Create a CloudWatch log group, or choose an existing one.

10. Choose an appropriate access policy or create a new one using the JSON editor the console provides. 

11. Click Enable.

Important:

Search slow logs and Index slow logs must be enabled for supporting publishing of slow logs.

Reference:

• https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html