For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-elasticsearch-without-slow-logs.md. A documentation index is available at /llms.txt.

Elasticsearch without slow logs

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-elasticsearch-without-slow-logs

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Observability

Learn More

Description

Elasticsearch domains must publish slow logs to detect and investigate performance anomalies and suspicious query activity. Without slow logs, you cannot audit slow or resource-intensive queries that may indicate abuse, data exfiltration, or misconfiguration.

In CloudFormation, AWS::Elasticsearch::Domain resources must define Properties.LogPublishingOptions and include INDEX_SLOW_LOGS and/or SEARCH_SLOW_LOGS entries with their Enabled property set to true. Resources missing LogPublishingOptions, missing the slow-log keys, or with Enabled set to false will be flagged.

Secure configuration example:

MyDomain:
  Type: AWS::Elasticsearch::Domain
  Properties:
    DomainName: my-domain
    LogPublishingOptions:
      INDEX_SLOW_LOGS:
        CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/index-slow
        Enabled: true
      SEARCH_SLOW_LOGS:
        CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/search-slow
        Enabled: true

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
  ElasticsearchDomain:
    Type: "AWS::Elasticsearch::Domain"
    Properties:
      DomainName:
        Ref: DomainName
      ElasticsearchVersion:
        Ref: ElasticsearchVersion
      ElasticsearchClusterConfig:
        InstanceCount: "1"
        InstanceType:
          Ref: InstanceType
      EBSOptions:
        EBSEnabled: "true"
        Iops: 0
        VolumeSize: 10
        VolumeType: standard
      SnapshotOptions:
        AutomatedSnapshotStartHour: "0"
      AccessPolicies:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny
            Principal:
              AWS: "*"
            Action: "es:*"
            Resource: "*"
      LogPublishingOptions:
        SEARCH_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: >-
            arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
          Enabled: "true"
        INDEX_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: >-
            arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
          Enabled: "true"
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: "true"

{
  "document": [
    {
      "AWSTemplateFormatVersion": "2010-09-09",
      "Description": "ElasticsearchDomain resource",
      "Resources": {
        "ElasticsearchDomain": {
          "Type": "AWS::Elasticsearch::Domain",
          "Properties": {
            "AdvancedOptions": {
              "rest.action.multi.allow_explicit_index": "true"
            },
            "DomainName": {
              "Ref": "DomainName"
            },
            "ElasticsearchVersion": {
              "Ref": "ElasticsearchVersion"
            },
            "ElasticsearchClusterConfig": {
              "InstanceCount": "1",
              "InstanceType": {
                "Ref": "InstanceType"
              }
            },
            "EBSOptions": {
              "Iops": 0,
              "VolumeSize": 10,
              "VolumeType": "standard",
              "EBSEnabled": "true"
            },
            "SnapshotOptions": {
              "AutomatedSnapshotStartHour": "0"
            },
            "AccessPolicies": {
              "Statement": [
                {
                  "Effect": "Deny",
                  "Principal": {
                    "AWS": "*"
                  },
                  "Action": "es:*",
                  "Resource": "*"
                }
              ],
              "Version": "2012-10-17"
            },
            "LogPublishingOptions": {
              "SEARCH_SLOW_LOGS": {
                "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
                "Enabled": "true"
              },
              "INDEX_SLOW_LOGS": {
                "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs",
                "Enabled": "true"
              }
            }
          }
        }
      },
      "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b",
      "file": "C:\\Users\\foo\\Desktop\\Data\\yaml\\yaml.yaml"
    }
  ]
}

Resources:
  ProductionElasticsearch:
    Type: AWS::Elasticsearch::Domain
    Properties:
      EBSOptions:
        EBSEnabled: true
        VolumeSize: 70
        VolumeType: gp2
      ElasticsearchClusterConfig:
        DedicatedMasterCount: 3
        DedicatedMasterEnabled: true
        DedicatedMasterType: omitted
        InstanceCount: 3
        InstanceType: omitted
        ZoneAwarenessConfig:
          AvailabilityZoneCount: 3
        ZoneAwarenessEnabled: true
      ElasticsearchVersion: omitted
      LogPublishingOptions:
        "INDEX_SLOW_LOGS":
          CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchIndexSlowLogs.Arn
          Enabled: true
        "SEARCH_SLOW_LOGS":
          CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchSearchSlowLogs.Arn
          Enabled: true
        "ES_APPLICATION_LOGS":
          CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchApplicationLogs.Arn
          Enabled: true

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
  ElasticsearchDomain:
    Type: "AWS::Elasticsearch::Domain"
    Properties:
      DomainName:
        Ref: DomainName
      ElasticsearchVersion:
        Ref: ElasticsearchVersion
      ElasticsearchClusterConfig:
        InstanceCount: "1"
        InstanceType:
          Ref: InstanceType
      EBSOptions:
        EBSEnabled: "true"
        Iops: 0
        VolumeSize: 10
        VolumeType: standard
      SnapshotOptions:
        AutomatedSnapshotStartHour: "0"
      AccessPolicies:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny
            Principal:
              AWS: "*"
            Action: "es:*"
            Resource: "*"
      LogPublishingOptions:
        SEARCH_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: >-
            arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs
          Enabled: "false"
        INDEX_SLOW_LOGS:
          CloudWatchLogsLogGroupArn: >-
            arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
          Enabled: "true"
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: "true"

AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
  ElasticsearchDomain:
    Type: "AWS::Elasticsearch::Domain"
    Properties:
      DomainName:
        Ref: DomainName
      ElasticsearchVersion:
        Ref: ElasticsearchVersion
      ElasticsearchClusterConfig:
        InstanceCount: "1"
        InstanceType:
          Ref: InstanceType
      EBSOptions:
        EBSEnabled: "true"
        Iops: 0
        VolumeSize: 10
        VolumeType: standard
      SnapshotOptions:
        AutomatedSnapshotStartHour: "0"
      AccessPolicies:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny
            Principal:
              AWS: "*"
            Action: "es:*"
            Resource: "*"
      LogPublishingOptions:
        ES_APPLICATION_LOGS:
          CloudWatchLogsLogGroupArn: >-
            arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs
          Enabled: "true"
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: "true"

AWSTemplateFormatVersion: "2010-09-09"
Description: ElasticsearchDomain resource
Resources:
  ElasticsearchDomain:
    Type: "AWS::Elasticsearch::Domain"
    Properties:
      DomainName:
        Ref: DomainName
      ElasticsearchVersion:
        Ref: ElasticsearchVersion
      ElasticsearchClusterConfig:
        InstanceCount: "1"
        InstanceType:
          Ref: InstanceType
      EBSOptions:
        EBSEnabled: "true"
        Iops: 0
        VolumeSize: 10
        VolumeType: standard
      SnapshotOptions:
        AutomatedSnapshotStartHour: "0"
      AccessPolicies:
        Version: "2012-10-17"
        Statement:
          - Effect: Deny
            Principal:
              AWS: "*"
            Action: "es:*"
            Resource: "*"
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: "true"