diff --git a/README.md b/README.md
index e887ec03..1610ec97 100644
--- a/README.md
+++ b/README.md
@@ -171,6 +171,12 @@ direnv edit
 aws es describe-elasticsearch-domain --domain-name ${ALIS_APP_ID}api | jq '.DomainStatus.Endpoint'
 ```
 
+Enable logs in Production.
+
+```bash
+./enable_elasticsearch_logs.sh YOUR_DOMAIN_NAME
+```
+
 And add ElasticSearch Endpoint to SSM.
 - See: https://github.com/AlisProject/environment
 
diff --git a/elasticsearch-template.yaml b/elasticsearch-template.yaml
index 3aa622d1..20b353f1 100644
--- a/elasticsearch-template.yaml
+++ b/elasticsearch-template.yaml
@@ -9,19 +9,29 @@ Parameters:
 Resources:
   ElasticSearchService:
     Type: "AWS::Elasticsearch::Domain"
-    Properties: 
-      AccessPolicies: !Join
-        - ''
-        - - '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "'
-          - !Ref ApiLambdaRole
-          - '" }, "Action": "es:*", "Resource": "'
-          - 'arn:aws:es:'
-          - !Ref 'AWS::Region'
-          - ':'
-          - !Ref 'AWS::AccountId'
-          - ':domain/'
-          - !Ref "AWS::StackName"
-          - '/*" } ] }'
+    Properties:
+      AccessPolicies:
+        !Sub
+        - |-
+          {
+            "Version": "2012-10-17",
+            "Statement": [
+              {
+                "Effect": "Allow",
+                "Principal": {
+                  "AWS": "${ApiLambdaRole}"
+                },
+                "Action": "es:*",
+                "Resource": "arn:aws:es:${Region}:${AccountId}:domain/${StackName}/*"
+              }
+            ]
+          }
+        - {
+          ApiLambdaRole: !Ref ApiLambdaRole,
+          Region: !Ref 'AWS::Region',
+          AccountId: !Ref 'AWS::AccountId',
+          StackName: !Ref 'AWS::StackName'
+        }
       AdvancedOptions:
         rest.action.multi.allow_explicit_index: 'true'
       DomainName: !Ref "AWS::StackName"
diff --git a/enable_elasticsearch_logs.sh b/enable_elasticsearch_logs.sh
new file mode 100755
index 00000000..cb1907fc
--- /dev/null
+++ b/enable_elasticsearch_logs.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+aws es describe-elasticsearch-domain --domain-name ${1} | jq '.DomainStatus.Endpoint'
+aws es update-elasticsearch-domain-config --domain-name ${1} --log-publishing-options \
+  "SEARCH_SLOW_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:ap-northeast-1:090169530579:log-group:/aws/aes/search-slow-logs:*,Enabled=true}"
+
+
+# ,INDEX_SLOW_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:my-other-log-group,Enabled=true}