Version: SG FLX
Compliance

Immutable indices

You can mark any index in Elasticsearch as immutable. Documents in immutable indices follow the write-once, read-many paradigm. This means that you can create documents, but once created, they cannot be changed anymore, thus making them immutable.

To mark an index immutable, list the index name in elasticsearch.yml like:

searchguard.compliance.immutable_indices: 
  - indexA
  - indexB
  - ...

Forbidden operations

Marking an index immutable prevents the following actions from being executed:

  • Changing or deleting any existing document
    • this also includes bulk operations
  • Deleting the index
  • Opening anc closing the index
  • Performing a reindex
  • Snapshot / restore

Using an admin certificate

A configured TLS admin certificate can be used to bypass the immutable index checks.

Audit Categories

Search Guard tracks attempts to immutable indices in the auditlog:

Category Logged on REST Logged on Transport Description
COMPLIANCE_IMMUTABLE_INDEX_ATTEMPT yes yes Attempt to access and immutable index in a way which is not allowed.


Not what you were looking for? Try the search.