v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5 OpenSearch domains should have audit logging enabled

Description

This rule is NON_COMPLIANT if the CloudWatch Logs log group of the OpenSearch domain is not specified in this parameter list.

This control checks whether OpenSearch domains have audit logging enabled. This control fails if an OpenSearch domain does not have audit logging enabled.

Audit logs are highly customizable. They allow you to track user activity on your OpenSearch clusters, including authentication successes and failures, requests to OpenSearch, index changes, and incoming search queries.

Remediation

For detailed instructions on enabling audit logs, see Enabling audit logs in the Amazon OpenSearch Service Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_opensearch_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_opensearch_5 --share

SQL

This control uses a named query:

opensearch_domain_audit_logging_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = logging
foundational_security_item_id = opensearch_5
plugin = aws
service = AWS/OpenSearch