Opensearch.4: OpenSearch error logging to CW should be enabled

What does AWS Security Hub Opensearch.4 check?

Opensearch.4 fails when a domain is not publishing its error logs (the ES_APPLICATION_LOGS log type) to CloudWatch Logs. This is distinct from slow logs and audit logs, and the control checks specifically for the error log destination.

Why does Opensearch.4 matter?

Error logs are where OpenSearch records write rejections, circuit-breaker trips, and mapping failures. Without them, a domain that misbehaves during an incident is undiagnosable — teams end up restarting clusters blind while the real cause stays hidden. Having the error stream in CloudWatch turns a guessing game into a log search.

How do I fix Opensearch.4?

1. Create a CloudWatch Logs log group with a sensible retention period.
2. Attach a resource policy granting es.amazonaws.com permission to write to that log group.
3. Enable the ES_APPLICATION_LOGS publishing option on the domain in place, then verify logs actually arrive.
4. Bake the same configuration into your domain template so new domains ship with error logging on.

# Enable CloudWatch log export on a flagged RDS instance, then cap retention.
aws rds modify-db-instance \
  --db-instance-identifier prod-orders-pg \
  --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql","upgrade"]' \
  --apply-immediately

aws logs put-retention-policy \
  --log-group-name /aws/rds/instance/prod-orders-pg/postgresql \
  --retention-in-days 90

# Enable audit logging on a Redshift cluster to a policy-attached S3 bucket.
aws redshift enable-logging \
  --cluster-identifier analytics-prod \
  --bucket-name redshift-audit-logs-acct123 \
  --s3-key-prefix analytics-prod/