"ElasticSearch Without Slow Logs" Detects Application Logs

[chrisoverzero]

Expected Behavior

KICS accepts an Elasticsearch domain with all logs enabled.

Actual Behavior

When an Elasticsearch domain is configured to log its application logs to CloudWatch Logs, KICS detects the application logs as not slow logs. Which they aren't, so nothing should fail.

Steps to Reproduce the Problem

Scan a template containing this mostly minimized resource, or one like it:

ProductionElasticsearch:
  Type: AWS::Elasticsearch::Domain
  Properties:
    EBSOptions:
      EBSEnabled: true
      VolumeSize: 70
      VolumeType: gp2
    ElasticsearchClusterConfig:
      DedicatedMasterCount: 3
      DedicatedMasterEnabled: true
      DedicatedMasterType: omitted
      InstanceCount: 3
      InstanceType: omitted
      ZoneAwarenessConfig:
        AvailabilityZoneCount: 3
      ZoneAwarenessEnabled: true
    ElasticsearchVersion: omitted
    LogPublishingOptions:
      'INDEX_SLOW_LOGS':
        CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchIndexSlowLogs.Arn
        Enabled: true
      'SEARCH_SLOW_LOGS':
        CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchSearchSlowLogs.Arn
        Enabled: true
      'ES_APPLICATION_LOGS':
        CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchApplicationLogs.Arn
        Enabled: true

…like this: kics scan --cloud-provider aws -o . -p . --log-level DEBUG --log-path ./debug.log

KICS will complain that ES_APPLICATION_LOGS are not slow logs.

{
	"query_name": "ElasticSearch Without Slow Logs",
	"query_id": "086ea2eb-14a6-4fd4-914b-38e0bc8703e8",
	"query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions",
	"severity": "MEDIUM",
	"platform": "CloudFormation",
	"category": "Observability",
	"description": "Ensure that AWS Elasticsearch enables support for slow logs",
	"description_id": "72d32380",
	"cis_description_id": "",
	"cis_description_title": "",
	"cis_description_text": "",
	"files": [
		{
			"file_name": "infrastructure.yml",
			"similarity_id": "c126add20b0f7aa4997b31dca0e3c6ac72340e7c27b8901aca9c43c5d1337da5",
			"line": 181,
			"issue_type": "IncorrectValue",
			"search_key": "Resources.ProductionElasticsearch.Properties.LogPublishingOptions.ES_APPLICATION_LOGS",
			"search_line": 0,
			"search_value": "",
			"expected_value": "Resources.ProductionElasticsearch.Properties.LogPublishingOptions.ES_APPLICATION_LOGS is slow logs",
			"actual_value": "Resources.ProductionElasticsearch.Properties.LogPublishingOptions.ES_APPLICATION_LOGS is not not slow logs",
			"value": null
		}
	]
}

(Very minorly, there's probably a typo in actual_value: "[…] is not not slow logs".)

In addition to the two kinds of slow log in the test, Elasticsearch can forward logs of ES_APPLICATION_LOGS and AUDIT_LOGS. I think that either of those will trip this test.

debug.log

Specifications

• Version: Keeping Infrastructure as Code Secure 1.4.3
• Platform: CloudFormation
• Subsystem: N/A

[rogeriopeixotocx]

@chrisoverzero thank you for reporting this issue, we'll be taking a look.