ES.5: ES domains should have audit logging

What does AWS Security Hub ES.5 check?

ES.5 fails when a legacy Elasticsearch domain does not have audit logging enabled. Audit logs record user activity on the cluster — authentication successes and failures, requests to the domain, index changes, and the incoming search queries themselves — published to CloudWatch Logs.

Why does ES.5 matter?

Without audit logs a domain can answer "what data exists" but never "who looked at it, when, and from where". On a store that frequently holds the most queryable copy of an organisation's sensitive data, that means no trail when a departing employee bulk-exports records or a credential is misused. Several frameworks, PCI DSS among them, require logging of access to systems handling regulated data.

How do I fix ES.5?

1. Enable fine-grained access control on the domain, which audit logging depends on.
2. Create a CloudWatch Logs group and grant the domain permission to write to it.
3. Turn on audit-log publishing in the domain's logging options.
4. Set retention and feed the logs into your SIEM for access monitoring.

# Enable the EKS audit log type (non-disruptive), then bound the cost with retention.
aws eks update-cluster-config \
  --name prod-platform \
  --logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

aws logs put-retention-policy \
  --log-group-name /aws/eks/prod-platform/cluster \
  --retention-in-days 90

# Turn on GuardDuty EKS Audit Log Monitoring and auto-enable for the whole org.
DETECTOR=$(aws guardduty list-detectors --query 'DetectorIds[0]' --output text)
aws guardduty update-detector --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","Status":"ENABLED"}]'
aws guardduty update-organization-configuration --detector-id "$DETECTOR" \
  --features '[{"Name":"EKS_AUDIT_LOGS","AutoEnable":"ALL"}]'