Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I activate audit logs in OpenSearch Service?
I want to activate audit logs in Amazon OpenSearch Service.
Short description
To activate audit logs first, configure your domain to publish audit logs to Amazon CloudWatch Logs. Then, activate and configure audit logs in OpenSearch Dashboards.
For more information, see Monitoring audit logs in Amazon OpenSearch Service.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Before you turn on the audit logs, you must turn on fine-grained access control on the cluster.
Activate audit logs in OpenSearch Service
To activate audit logs and create an access policy in OpenSearch service, complete the following steps:
-
Open the OpenSearch Service console.
-
In the navigation pane, choose Domains, and then choose your domain.
-
Choose the Logs tab, then choose Audit logs, and then choose Enable.
-
Choose Setup error logs and then select Create new policy or Select existing policy.
To create a new policy, for New policy name, enter a policy name and then update the policy with an access policy similar to the following example:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "es.amazonaws.com" }, "Action": [ "logs:PutLogEvents", "logs:CreateLogStream" ], "Resource": "cw_log_group_arn" } ] } -
Choose Enable.
Activate audit logs in OpenSearch Dashboards
Complete the following steps:
- Open OpenSearch Dashboards.
- Choose Security.
Note: To turn on audit logs, you must have your user role mapped to the security_manager role. Otherwise, you can't see the Security tab in OpenSearch dashboards. - Choose Audit logs.
- Choose Enable audit logging.
For an example configuration, see Audit log example.
Troubleshoot audit log errors
You didn't configure advanced security options
When you activate audit logs and fine-grained access control isn't activated on your domain, you receive the following error:
"UpdateDomainConfig: {"message":"audit log publishing cannot be enabled as you do not have advanced security options configured."}"
To resolve this error, turn on fine-grained access control.
Resource limit exceeded
When you reach the maximum number of CloudWatch Logs resource policies per AWS Region, you receive the following error:
"PutResourcePolicy: {"__type":"LimitExceededException","message":"Resource limit exceeded."}"
You can have up to 10 CloudWatch Logs resource policies per Region, per account. You can't change this quota. For more information, see CloudWatch Logs quotas.
To activate logs for multiple domains, you can reuse a policy that includes multiple log groups.
To check the resource policies in your account per Region, run the describe-resource-policies AWS CLI command:
aws logs describe-resource-policies --region region-name
Note: Replace region-name with your Region.
To update your resource policy to cover multiple log groups, add a wildcard character, *. You can also configure multiple statements from different resource policies for all log groups, and delete the old policies.
For example, if your log group names begin with /aws/OpenSearchService/domains/, then you can create a resource policy that applies to /aws/OpenSearchService/domains/*.
The following example resource policy creates a single resource policy for all log groups that begin with /aws/OpenSearchService/domains/*:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "es.amazonaws.com" }, "Action": [ "logs:PutLogEvents", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:REGION:AccountID:log-group:/aws/OpenSearchService/domains/*:*" } ] }
Note: Replace Region with your Region. Replace AccountID with your account id.
To apply the consolidated policy, run the following command on cloudshell:
aws logs put-resource-policy \ --policy-name yourPolicyName \ --policy-document file://policy.json
Note: Replace yourPolicyName with your own policy name.
You can now select this updated policy when you activate audit logs.
To remove unnecessary or duplicate policies, run the delete-resource-policy command:
aws logs delete-resource-policy --policy-name PolicyName
Note: Replace PolicyName with the name of the policy you want to delete.
The access policy for the log group in CloudWatch Logs doesn't grant sufficient permissions
When you try to activate audit log publishing, you might receive the following error:
"The Resource Access Policy specified for the CloudWatch Logs log group does not grant sufficient permissions for Amazon OpenSearch Service to create a log stream. Please check the Resource Access Policy."
To resolve this error, verify that the resource element of your policy includes the correct log group ARN.
Related information
How do I troubleshoot fine-grained access control issues in my OpenSearch Service cluster?
- Topics
- Analytics
- Language
- English
Relevant content
- asked 2 years ago
- asked 2 years ago
