Opensearch.5: OpenSearch domains should have audit logging

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub Opensearch.5 check?

Opensearch.5 fails when a domain is not publishing audit logs (the AUDIT_LOGS log type) to CloudWatch Logs. Audit logs capture authentication events and the requests principals make against the cluster.

Why does Opensearch.5 matter?

Without audit logs there is no record of who searched what, which leaves you unable to investigate misuse or prove access controls work to an auditor. For a data store that may hold sensitive indexes, the absence of an access trail is a real gap in both incident response and compliance evidence.

How do I fix Opensearch.5?

Confirm fine-grained access control is enabled, since audit logging cannot be turned on without it.
Create a CloudWatch Logs log group and attach a resource policy allowing OpenSearch to write to it.
Enable the AUDIT_LOGS publishing option with update-domain-config.
Add a Config rule so new domains keep audit logging on.

Remediation script · bash

# Enable CloudWatch log export on a flagged RDS instance, then cap retention.
aws rds modify-db-instance \
  --db-instance-identifier prod-orders-pg \
  --cloudwatch-logs-exports-configuration 'EnableLogTypes=["postgresql","upgrade"]' \
  --apply-immediately

aws logs put-retention-policy \
  --log-group-name /aws/rds/instance/prod-orders-pg/postgresql \
  --retention-in-days 90

# Enable audit logging on a Redshift cluster to a policy-attached S3 bucket.
aws redshift enable-logging \
  --cluster-identifier analytics-prod \
  --bucket-name redshift-audit-logs-acct123 \
  --s3-key-prefix analytics-prod/

Full walkthrough (console steps, edge cases and verification) in the lesson Enable database audit and log exports.

Is Opensearch.5 a false positive?

Teams often hit a wall here: the obvious update-domain-config call is rejected outright if fine-grained access control is off, so Opensearch.5 frequently means enabling two controls at once.

Full lesson Enable database audit and log exports Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for Opensearch controls ↗ Check your own account for Opensearch.5 →

Part of the learning path Tighten your databases

Opensearch.1 OpenSearch domains should encrypt at rest
Opensearch.2 An OpenSearch domain is reachable from the public internet
Opensearch.3 OpenSearch should encrypt node-to-node traffic
Opensearch.4 OpenSearch error logging to CW should be enabled
Opensearch.6 OpenSearch domains should have >= 3 data nodes
Opensearch.7 OpenSearch has no fine-grained access control
Opensearch.8 OpenSearch should use latest TLS policy
Opensearch.10 OpenSearch should have latest software update