Elasticsearch Audit Logs now available on Amazon Elasticsearch Service

Posted on: Sep 17, 2020

Amazon Elasticsearch Service now offers a detailed audit log of all Elasticsearch requests. Audit Logs allows customers to record a trail of all user actions, helping meet compliance regulations, improving the overall security posture and providing evidence for security investigations. 

Amazon Elasticsearch Service Audit Logs allows customers to log all of their user activity on their Elasticsearch clusters, including keeping a history of user authentication success and failures, logging all requests to Elasticsearch, modifications to indices, recording incoming search queries and much more. Audit Logs provides a default configuration that covers a popular set of user actions to be tracked. Administrators can further configure and fine tune the settings to meet their needs. Audit Logs is integrated with Fine Grained Access Control, allowing you the ability to log access or modification requests to sensitive documents or fields, to meet any compliance requirements. Once configured, Audit Logs will be continuously streamed to CloudWatch Logs and can be further analyzed there. Audit Logs settings can be changed at any time and are automatically updated.

Both new and existing Amazon Elasticsearch Service domains (version 6.7+) with Fine Grained Access Control enabled can use the Audit Logs feature. You can follow the documentation to setup the CloudWatch Logs destination and fine tune any settings.  

Audit Logs is powered by Open Distro for Elasticsearch, an Apache 2.0-licensed distribution of Elasticsearch. To learn more about Open Distro for Elasticsearch and Audit Logs feature, visit the project website.

Audit Logging is now available for Amazon Elasticsearch Service domains across 24 regions globally: US East (N. Virginia, Ohio), US West (Oregon, N. California), AWS GovCloud (US-Gov-East, US-Gov-West), Canada (Central), South America (Sao Paulo), Africa (Cape Town), Middle East (Bahrain), EU (Ireland, London, Frankfurt, Paris, Stockholm, Milan), Asia Pacific (Singapore, Sydney, Tokyo, Seoul, Mumbai, Hong Kong), and China (Beijing – operated by Sinnet, Ningxia – operated by NWCD). Please refer to the AWS Region Table for more information about Amazon Elasticsearch Service availability.