aws · mergify · Dec 16, 2020 · Dec 16, 2020 · Dec 16, 2020 · Dec 16, 2020
diff --git a/packages/@aws-cdk/aws-elasticsearch/README.md b/packages/@aws-cdk/aws-elasticsearch/README.md
@@ -173,3 +173,29 @@ const domain = new es.Domain(this, 'Domain', {
 
 const masterUserPassword = domain.masterUserPassword;
 ```
+
+
+
+## Audit logs
+
+Audit logs can be enabled for a domain, but only when fine grained access control is enabled.
+
+```ts
+const domain = new es.Domain(this, 'Domain', {
+    version: es.ElasticsearchVersion.V7_1,
+    enforceHttps: true,
+    nodeToNodeEncryption: true,
+    encryptionAtRest: {
+        enabled: true,
+    },
+    fineGrainedAccessControl: {
+        masterUserName: 'master-user',
+    },
+    logging: {
+        auditLogEnabled: true,
+        slowSearchLogEnabled: true,
+        appLogEnabled: true,
+        slowIndexLogEnabled: true,
+    },
+});
+```
diff --git a/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts b/packages/@aws-cdk/aws-elasticsearch/lib/domain.ts
@@ -244,6 +244,21 @@ export interface LoggingOptions {
    * @default - a new log group is created if app logging is enabled
    */
   readonly appLogGroup?: logs.ILogGroup;
+
+  /**
+   * Specify if Elasticsearch audit logging should be set up.
+   * Requires Elasticsearch version 6.7 or later and fine grained access control to be enabled.
+   *
+   * @default - false
+   */
+  readonly auditLogEnabled?: boolean;
+
+  /**
+   * Log Elasticsearch audit logs to this log group.
+   *
+   * @default - a new log group is created if audit logging is enabled
+   */
+  readonly auditLogGroup?: logs.ILogGroup;
 }
 
 /**
@@ -1162,6 +1177,13 @@ export class Domain extends DomainBase implements IDomain {
    */
   public readonly appLogGroup?: logs.ILogGroup;
 
+  /**
+   * Log group that audit logs are logged to.
+   *
+   * @attribute
+   */
+  public readonly auditLogGroup?: logs.ILogGroup;
+
   /**
    * Master user password if fine grained access control is configured.
    */
@@ -1365,6 +1387,12 @@ export class Domain extends DomainBase implements IDomain {
       }
     }
 
+    // Validate fine grained access control enabled for audit logs, per
+    // https://aws.amazon.com/about-aws/whats-new/2020/09/elasticsearch-audit-logs-now-available-on-amazon-elasticsearch-service/
+    if (props.logging?.auditLogEnabled && !advancedSecurityEnabled) {
+      throw new Error('Fine-grained access control is required when audit logs publishing is enabled.');
+    }
+
     let cfnVpcOptions: CfnDomain.VPCOptionsProperty | undefined;
     if (props.vpcOptions) {
       cfnVpcOptions = {
@@ -1403,6 +1431,15 @@ export class Domain extends DomainBase implements IDomain {
       logGroups.push(this.appLogGroup);
     };
 
+    if (props.logging?.auditLogEnabled) {
+      this.auditLogGroup = props.logging.auditLogGroup ??
+          new logs.LogGroup(this, 'AuditLogs', {
+            retention: logs.RetentionDays.ONE_MONTH,
+          });
+
+      logGroups.push(this.auditLogGroup);
+    };
+
     let logGroupResourcePolicy: LogGroupResourcePolicy | null = null;
     if (logGroups.length > 0) {
       const logPolicyStatement = new iam.PolicyStatement({
@@ -1454,6 +1491,10 @@ export class Domain extends DomainBase implements IDomain {
       },
       nodeToNodeEncryptionOptions: { enabled: nodeToNodeEncryptionEnabled },
       logPublishingOptions: {
+        AUDIT_LOGS: {
+          enabled: this.auditLogGroup != null,
+          cloudWatchLogsLogGroupArn: this.auditLogGroup?.logGroupArn,
+        },
         ES_APPLICATION_LOGS: {
           enabled: this.appLogGroup != null,
           cloudWatchLogsLogGroupArn: this.appLogGroup?.logGroupArn,

diff --git a/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts b/packages/@aws-cdk/aws-elasticsearch/test/domain.test.ts
@@ -2,6 +2,7 @@ import '@aws-cdk/assert/jest';
 import { Metric, Statistic } from '@aws-cdk/aws-cloudwatch';
 import { Subnet, Vpc, EbsDeviceVolumeType } from '@aws-cdk/aws-ec2';
 import * as iam from '@aws-cdk/aws-iam';
+import * as logs from '@aws-cdk/aws-logs';
 import { App, Stack, Duration, SecretValue } from '@aws-cdk/core';
 import { Domain, ElasticsearchVersion } from '../lib';
 
@@ -47,6 +48,9 @@ test('minimal example renders correctly', () => {
       Enabled: false,
     },
     LogPublishingOptions: {
+      AUDIT_LOGS: {
+        Enabled: false,
+      },
       ES_APPLICATION_LOGS: {
         Enabled: false,
       },
@@ -152,6 +156,46 @@ describe('log groups', () => {
     });
   });
 
+  test('auditLogEnabled should create a custom log group', () => {
+    new Domain(stack, 'Domain', {
+      version: ElasticsearchVersion.V7_4,
+      logging: {
+        auditLogEnabled: true,
+      },
+      fineGrainedAccessControl: {
+        masterUserName: 'username',
+      },
+      nodeToNodeEncryption: true,
+      encryptionAtRest: {
+        enabled: true,
+      },
+      enforceHttps: true,
+    });
+
+    expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', {
+      LogPublishingOptions: {
+        AUDIT_LOGS: {
+          CloudWatchLogsLogGroupArn: {
+            'Fn::GetAtt': [
+              'DomainAuditLogs608E0FA6',
+              'Arn',
+            ],
+          },
+          Enabled: true,
+        },
+        ES_APPLICATION_LOGS: {
+          Enabled: false,
+        },
+        SEARCH_SLOW_LOGS: {
+          Enabled: false,
+        },
+        INDEX_SLOW_LOGS: {
+          Enabled: false,
+        },
+      },
+    });
+  });
+
   test('two domains with logging enabled can be created in same stack', () => {
     new Domain(stack, 'Domain1', {
       version: ElasticsearchVersion.V7_7,
@@ -265,6 +309,163 @@ describe('log groups', () => {
     });
   });
 
+  test('enabling audit logs throws without fine grained access control enabled', () => {
+    expect(() => new Domain(stack, 'Domain', {
+      version: ElasticsearchVersion.V6_7,
+      logging: {
+        auditLogEnabled: true,
+      },
+    })).toThrow(/Fine-grained access control is required when audit logs publishing is enabled\./);
+  });
+
+  test('slowSearchLogGroup should use a custom log group', () => {
+    new Domain(stack, 'Domain', {
+      version: ElasticsearchVersion.V7_4,
+      logging: {
+        slowSearchLogEnabled: true,
+        slowSearchLogGroup: new logs.LogGroup(stack, 'SlowSearchLogs', {
+          retention: logs.RetentionDays.THREE_MONTHS,
+        }),
+      },
+    });
+
+    expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', {
+      LogPublishingOptions: {
+        AUDIT_LOGS: {
+          Enabled: false,
+        },
+        ES_APPLICATION_LOGS: {
+          Enabled: false,
+        },
+        SEARCH_SLOW_LOGS: {
+          CloudWatchLogsLogGroupArn: {
+            'Fn::GetAtt': [
+              'SlowSearchLogsE00DC2E7',
+              'Arn',
+            ],
+          },
+          Enabled: true,
+        },
+        INDEX_SLOW_LOGS: {
+          Enabled: false,
+        },
+      },
+    });
+  });
+
+  test('slowIndexLogEnabled should use a custom log group', () => {
+    new Domain(stack, 'Domain', {
+      version: ElasticsearchVersion.V7_4,
+      logging: {
+        slowIndexLogEnabled: true,
+        slowIndexLogGroup: new logs.LogGroup(stack, 'SlowIndexLogs', {
+          retention: logs.RetentionDays.THREE_MONTHS,
+        }),
+      },
+    });
+
+    expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', {
+      LogPublishingOptions: {
+        AUDIT_LOGS: {
+          Enabled: false,
+        },
+        ES_APPLICATION_LOGS: {
+          Enabled: false,
+        },
+        SEARCH_SLOW_LOGS: {
+          Enabled: false,
+        },
+        INDEX_SLOW_LOGS: {
+          CloudWatchLogsLogGroupArn: {
+            'Fn::GetAtt': [
+              'SlowIndexLogsAD49DED0',
+              'Arn',
+            ],
+          },
+          Enabled: true,
+        },
+      },
+    });
+  });
+
+  test('appLogGroup should use a custom log group', () => {
+    new Domain(stack, 'Domain', {
+      version: ElasticsearchVersion.V7_4,
+      logging: {
+        appLogEnabled: true,
+        appLogGroup: new logs.LogGroup(stack, 'AppLogs', {
+          retention: logs.RetentionDays.THREE_MONTHS,
+        }),
+      },
+    });
+
+    expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', {
+      LogPublishingOptions: {
+        AUDIT_LOGS: {
+          Enabled: false,
+        },
+        ES_APPLICATION_LOGS: {
+          CloudWatchLogsLogGroupArn: {
+            'Fn::GetAtt': [
+              'AppLogsC5DF83A6',
+              'Arn',
+            ],
+          },
+          Enabled: true,
+        },
+        SEARCH_SLOW_LOGS: {
+          Enabled: false,
+        },
+        INDEX_SLOW_LOGS: {
+          Enabled: false,
+        },
+      },
+    });
+  });
+
+  test('auditLOgGroup should use a custom log group', () => {
+    new Domain(stack, 'Domain', {
+      version: ElasticsearchVersion.V7_4,
+      fineGrainedAccessControl: {
+        masterUserName: 'username',
+      },
+      nodeToNodeEncryption: true,
+      encryptionAtRest: {
+        enabled: true,
+      },
+      enforceHttps: true,
+      logging: {
+        auditLogEnabled: true,
+        auditLogGroup: new logs.LogGroup(stack, 'AuditLogs', {
+          retention: logs.RetentionDays.THREE_MONTHS,
+        }),
+      },
+    });
+
+    expect(stack).toHaveResourceLike('AWS::Elasticsearch::Domain', {
+      LogPublishingOptions: {
+        AUDIT_LOGS: {
+          CloudWatchLogsLogGroupArn: {
+            'Fn::GetAtt': [
+              'AuditLogsB945E340',
+              'Arn',
+            ],
+          },
+          Enabled: true,
+        },
+        ES_APPLICATION_LOGS: {
+          Enabled: false,
+        },
+        SEARCH_SLOW_LOGS: {
+          Enabled: false,
+        },
+        INDEX_SLOW_LOGS: {
+          Enabled: false,
+        },
+      },
+    });
+  });
+
 });
 
 describe('grants', () => {

diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.advancedsecurity.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.advancedsecurity.expected.json
@@ -41,6 +41,9 @@
           "Enabled": true
         },
         "LogPublishingOptions": {
+          "AUDIT_LOGS": {
+            "Enabled": false
+          },
           "ES_APPLICATION_LOGS": {
             "Enabled": false
           },
@@ -57,4 +60,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.expected.json
@@ -157,6 +157,9 @@
           "Enabled": true
         },
         "LogPublishingOptions": {
+          "AUDIT_LOGS": {
+            "Enabled": false
+          },
           "ES_APPLICATION_LOGS": {
             "CloudWatchLogsLogGroupArn": {
               "Fn::GetAtt": [
@@ -431,6 +434,9 @@
           "Enabled": true
         },
         "LogPublishingOptions": {
+          "AUDIT_LOGS": {
+            "Enabled": false
+          },
           "ES_APPLICATION_LOGS": {
             "CloudWatchLogsLogGroupArn": {
               "Fn::GetAtt": [

diff --git a/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.unsignedbasicauth.expected.json b/packages/@aws-cdk/aws-elasticsearch/test/integ.elasticsearch.unsignedbasicauth.expected.json
@@ -55,6 +55,9 @@
           "Enabled": true
         },
         "LogPublishingOptions": {
+          "AUDIT_LOGS": {
+            "Enabled": false
+          },
           "ES_APPLICATION_LOGS": {
             "Enabled": false
           },