Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Check: CKV_AWS_84: "Ensure Elasticsearch Domain Logging is enabled"
See original GitHub issueDescribe the bug My TF module has enabled logging for all types: “INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, AUDIT_LOGS”, but I still got error:
Check: CKV_AWS_84: "Ensure Elasticsearch Domain Logging is enabled"
FAILED for resource: aws_elasticsearch_domain.es
File: /tf.json:0-0
Guide: https://docs.bridgecrew.io/docs/elasticsearch_7
Elasticserach module:
resource "aws_elasticsearch_domain" "es" {
domain_name = var.elasticsearch_domain
elasticsearch_version = var.elasticsearch_version
cluster_config {
instance_type = var.instance_type
instance_count = var.instance_count
zone_awareness_enabled = var.availability_zone_count == 1 ? false : true
dynamic "zone_awareness_config" {
for_each = null_resource.azs[*].triggers
content {
availability_zone_count = zone_awareness_config.value.availability_zone_count
}
}
}
vpc_options {
subnet_ids = var.subnet_ids
security_group_ids = [
aws_security_group.elasticsearch_sg.id,
]
}
ebs_options {
ebs_enabled = true
volume_size = var.instance_volume_size
}
encrypt_at_rest {
enabled = var.encrypt_at_rest ? true : false
kms_key_id = var.kms_key_id != null ? var.kms_key_id : null
}
domain_endpoint_options {
enforce_https = var.enforce_https
tls_security_policy = var.enforce_https ? var.tls_security_policy : null
}
log_publishing_options {
enabled = var.log_publishing ? true : false
cloudwatch_log_group_arn = var.log_publishing ? aws_cloudwatch_log_group.elasticsearch-app-logs[0].arn : null
log_type = var.log_publishing ? "ES_APPLICATION_LOGS" : null
}
log_publishing_options {
enabled = var.log_publishing ? true : false
cloudwatch_log_group_arn = var.log_publishing ? aws_cloudwatch_log_group.elasticsearch-slow-logs[0].arn : null
log_type = var.log_publishing ? "INDEX_SLOW_LOGS" : null
}
log_publishing_options {
enabled = var.log_publishing ? true : false
cloudwatch_log_group_arn = var.log_publishing ? aws_cloudwatch_log_group.elasticsearch-audit-logs[0].arn : null
log_type = var.log_publishing ? "AUDIT_LOGS" : null
}
log_publishing_options {
enabled = var.log_publishing ? true : false
cloudwatch_log_group_arn = var.log_publishing ? aws_cloudwatch_log_group.elasticsearch-search-slow-logs[0].arn : null
log_type = var.log_publishing ? "AUDIT_LOGS" : null
}
access_policies = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Resource": "arn:aws:es:${var.aws_region}:${data.aws_caller_identity.current.account_id}:domain/${var.elasticsearch_domain}/*"
}
]
}
CONFIG
snapshot_options {
automated_snapshot_start_hour = var.elasticsearch_snapshot_time
}
depends_on = [
aws_iam_service_linked_role.es
]
tags = merge(var.tags, {
Domain = var.elasticsearch_domain
})
}
CW Log Groups, Policy, etc are created. Variable “log_publishing” by default = true. Module deployed successfully and logging enabled, but “checkov” check not passed.
Expected behavior All types of logs are enabled, check must be passed.
Desktop:
- OS: macOS Big Sur 11.2.1
- Checkov Version: 2.0.86
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (1 by maintainers)
Top Results From Across the Web
Ensure AWS Elasticsearch domain logging is enabled
AWS Elasticsearch domain logging is not enabled. Description. Amazon ES exposes logs through CloudWatch. ES logs supported include error logs, search slow logs, ......
Read more >Domain logging should be enabled for Elastic Search domains
Domain logging should be enabled for Elastic Search domains ... The following example will fail the aws-elastic-search-enable-domain-logging check.
Read more >Enable audit logging | Elasticsearch Guide [8.5] | Elastic
When audit logging is enabled, security events are persisted to a dedicated <clustername>_audit.json file on the host's file system, on every cluster node....
Read more >AWS::Elasticsearch::Domain LogPublishingOption
Specifies whether the OpenSearch Service domain publishes the Elasticsearch application, search slow logs, or index slow logs to Amazon CloudWatch.
Read more >AWS Elasticsearch Slow Logs - Trend Micro
Ensure that your AWS Elasticsearch domains publish slow logs to AWS CloudWatch Logs. ... Once enabled, Slow Logs (search and index slow logs)...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
After further investigation, I found the issue. Since the Log Group is created in the same configuration and referenced here, the current logic doesn’t consider this at the moment.
i still have this issue so opening a new issue