ES.4: ES error logging to CW should be enabled

What does AWS Security Hub ES.4 check?

ES.4 checks that a domain publishes error logs to CloudWatch Logs and fails when it does not. Error logging captures the WARN, ERROR, and FATAL lines OpenSearch emits, plus exceptions like MapperParsingException and SearchPhaseExecutionException; all log types are off by default.

Why does ES.4 matter?

Because there's no bill attached, this finding has no natural pressure to get closed — it just sits as a Medium while the domain fails silently. Error logs are the difference between knowing why a query failed at 2 a.m. and guessing, and they form part of how you reconstruct what a system did under attack. The control maps to NIST 800-53 AU-2, AU-3, and AU-12.

How do I fix ES.4?

1. Create or choose a CloudWatch Logs group for the domain's error logs.
2. Grant the domain a resource policy allowing it to write to that log group.
3. Enable error-log publishing in the domain's logging options.
4. Set a retention policy on the log group and alert on FATAL/ERROR spikes.

# Enable the EKS audit log type (non-disruptive), then bound the cost with retention.
aws eks update-cluster-config \
  --name prod-platform \
  --logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

aws logs put-retention-policy \
  --log-group-name /aws/eks/prod-platform/cluster \
  --retention-in-days 90

# Turn on GuardDuty EKS Audit Log Monitoring and auto-enable for the whole org.
DETECTOR=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
aws guardduty update-detector --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'
aws guardduty update-organization-configuration --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","AutoEnable":"ALL"}]'