AWS Config Rule: OpenSearch Logs to CloudWatch

Description: Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if logging is not configured.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), Europe (Spain), China (Ningxia), Europe (Zurich) Region

This config rule checks if an OpenSearch Domain is configured to send logs to CloudWatch service. If logging is not configured for some domain, the rule will be marked as non-compliant.

In order to resolve this, you will need to first head on over to the Amazon OpenSearch Service within your AWS Console. Ensure to select the correct region from where your OpenSearch domain is located.

Once there, choose the domain you want to configure logging for and and enable the desired CloudWatch logs from the Logs tab. Check the following picture for further reference:

Note that this rule will become compliant if any of the available log types is enabled.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here