Allow brokered ElasticSearch clusters to write to CloudWatch #1633
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Without one policy that applies to all log groups, we must create one-off policies for each cluster + log group, and we quickly hit the quota of ten policies per account. See the "Important" callout here: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html#createdomain-configure-slow-logs-console
Related ticket: https://cloud-gov-new.zendesk.com/agent/tickets/8298
Example code from https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy#example-usage
security considerations
Allows the ElasticSearch service to write to all log groups in CloudWatch. Because ElasticSearch logging can only be configured by cloud.gov staff, and there was no way to limit the principal so that clusters could only write to their own log groups in the first place, this is a lateral security move.