> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Opensearch Audit Logging Should Be Enabled

### More Info:

Ensure audit logging is enabled for opensearch cluster

### Risk Level

Medium

### Address

Operational Maturity, Reliability, Security

### Compliance Standards

CBP,GDPR,HIPAA,ISO27001,SEBI,RBI\_UCB

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration of Opensearch Audit Logging not being enabled in AWS OpenSearch, follow these steps using the AWS Management Console:

        1. **Navigate to the Amazon OpenSearch Service Console**: Go to the AWS Management Console and search for "OpenSearch Service" in the services search bar. Click on the service to open the Amazon OpenSearch Service Console.

        2. **Select the Domain**: From the list of domains, select the domain for which you want to enable Audit Logging.

        3. **Enable Audit Logging**: In the domain dashboard, click on the "Configure access and security" tab in the left-hand navigation menu.

        4. **Edit the Advanced Security Settings**: Under the "Advanced security settings" section, click on the "Edit" button.

        5. **Enable Audit Logs**: Scroll down to the "Logging" section and toggle the switch to enable "Log publishing" for audit logs.

        6. **Configure Log Publishing**: Configure the destination for the audit logs. You can choose to send logs to Amazon CloudWatch Logs, Amazon S3, or both.

        7. **Save Changes**: Click on the "Save" button to apply the changes and enable Audit Logging for the OpenSearch domain.

        8. **Verify Audit Logging**: To verify that Audit Logging is enabled, you can check the status in the domain dashboard or navigate to the chosen destination (CloudWatch Logs or S3) to ensure that the audit logs are being published successfully.

        By following these steps, you have successfully remediated the misconfiguration of Opensearch Audit Logging not being enabled in AWS OpenSearch.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of enabling audit logging for AWS OpenSearch using AWS CLI, follow these steps:

        1. **Enable Audit Logging**: Use the following AWS CLI command to enable audit logging for your AWS OpenSearch domain:

           ```bash theme={null}
           aws opensearchservice update-domain-config --domain-name <your-domain-name> --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true,AuditLogEnabled=true
           ```

           Replace `<your-domain-name>` with the name of your AWS OpenSearch domain.

        2. **Verify Audit Logging**: After running the command, verify that audit logging is enabled for your AWS OpenSearch domain by checking the domain configuration settings:

           ```bash theme={null}
           aws opensearchservice describe-domain-config --domain-name <your-domain-name> --output json
           ```

           Ensure that the `AuditLogEnabled` parameter is set to `true` in the output.

        3. **Monitor Audit Logs**: Once audit logging is enabled, monitor the audit logs to ensure that all relevant activities are being logged appropriately. You can access the audit logs through the AWS Management Console or by using the AWS CLI.

        By following these steps, you can successfully remediate the misconfiguration of enabling audit logging for AWS OpenSearch using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of enabling Audit Logging for AWS OpenSearch using Python, you can follow these steps:

        Step 1: Install boto3 library

        ```bash theme={null}
        pip install boto3
        ```

        Step 2: Use the following Python script to enable Audit Logging for AWS OpenSearch:

        ```python theme={null}
        import boto3

        def enable_audit_logging(domain_name):
            client = boto3.client('es')

            response = client.update_domain_config(
                DomainName=domain_name,
                AdvancedSecurityOptions={
                    'AuditLogs': {
                        'AuditLogRoleArn': 'arn:aws:iam::123456789012:role/OpenSearch-Audit-Role',
                        'Enabled': True
                    }
                }
            )

            print(response)

        # Replace 'your-domain-name' with the actual name of your OpenSearch domain
        enable_audit_logging('your-domain-name')
        ```

        Step 3: Replace `'your-domain-name'` with the actual name of your OpenSearch domain in the script.

        Step 4: Replace `'arn:aws:iam::123456789012:role/OpenSearch-Audit-Role'` with the ARN of the IAM role that should have permission to write audit logs.

        Step 5: Run the Python script. This will enable Audit Logging for the specified OpenSearch domain.

        After following these steps, Audit Logging should be successfully enabled for your AWS OpenSearch domain.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
