Append-Only Index for Life

ndtreviv · September 13, 2021, 10:38am

We currently write audit logs and metrics to an elasticsearch index.
I'm trying to find a way to prevent a VM admin user from logging into the VM that runs elasticsearch and being able to delete or update audit log documents in an index.

The best I can come up with is RBAC, but as far as I can see that doesn't prevent an admin from giving themselves the necessary access, performing an update or delete, and then removing the access again.

Is it possible to have an elasticsearch index that is append-only from the outset, with no chance of changing it at all?

warkolm · September 13, 2021, 11:46pm

Not directly, no.
You'd need to build a policy that only provides read only access to the indices, while restricting escalation assignment.

system · October 11, 2021, 11:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Secure specific indices from users manually updating documents Elasticsearch elastic-stack-security	3	265	September 12, 2022
Write-only cluster / index? Auditing porpouse Elasticsearch	9	2592	July 5, 2017
Securing Data in Elasticsearch Elasticsearch	15	2792	July 6, 2017
Immutable write only (no versionning allowed) index Elasticsearch	1	751	April 15, 2020
Store Elasticsearch Indices in a revision/audit-proof way Elasticsearch	6	411	July 6, 2017

Append-Only Index for Life

Related topics