Secure specific indices from users manually updating documents


Elasticsearch Version: 7.16.1
ECK version: 1.6.1

We use ELK to push audit logs from one of our applications and we'd like to know if there is a way to know if any HUMAN user manually updated any documents in that specific index. We push logs from S3 bucket to a specific index using logstash s3 plugin and no one should manually update/delete the index documents. These audit logs are super important and should not be updated manually by anyone. (FYI: technically any admin in our team has access to root credentials so anyone can be a culprit :stuck_out_tongue_winking_eye: )

If that is not possible maybe we there is a way to log all queries that are either deleting/updating documents in that specific index? if yes, what would I be looking for in the ES audit logs?

  • I looked at slow query logs and they are not very helpful as they don't show any usernames
  • I don't have much knowledge on audit logs

Thank you

Hi @Rakesh_B

Elasticsearch has strong RBAC... down to the index + document and field (for commercial subscription) so that is all you need to do :slight_smile:

Index level RBAC is available with the Basic / Free Subscription.

Oh details.... :slight_smile:

So I just help secure a large scale production cluster... and some ways ... Writers get to write... Analysts / everyone else get to read :slight_smile:

  1. We created the publisher role / API for all automated ingesting ... so your logstash should only use the logstash_writer role... you can create a user or and API Key. Per Here

  2. Then your users only get read privileges on the indices / documents... it can be as simple as that ... and very secure!

This RBAC is set at the cluster / index level... I am thinking I would start there.

The UI makes it pretty easy to define roles these days..

I guess what you want here is a "true append-only" index which it is not possible today.

log all queries that are either deleting/updating documents in that specific index?

This is doable with audit logs. I suggested you follow our documentation Enable audit logging | Elasticsearch Guide [8.3] | Elastic
Please do note that the audit logging feature is platinum licensed.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.