- Knowledge Base
- Amazon Web Services
- Amazon Opensearch Service
- OpenSearch Domain Exposed
Identify any publicly accessible Amazon OpenSearch domains and update the associated access policies in order to stop any unsigned requests made to these domains.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing anonymous access to your OpenSearch domains is not recommended and is considered bad practice. To protect your domains against unauthorized access, Amazon OpenSearch provides preconfigured access policies (resource-based, IP-based, and IAM user/role-based policies) that you can customize as needed, as well as the ability to import access policies from other OpenSearch domains.
Audit
To determine if your Amazon OpenSearch domains are publicly accessible, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
03 In the main navigation panel, under Dashboard, select Domains.
04 Click on the name (link) of the OpenSearch domain that you want to examine.
05 Select the Security configuration tab and check the policy document listed in the Access policy section. If the "Effect" element value is set to "Allow", the "Principal" element value is set to "*" or {"AWS": "*"}, and the policy is not using IP-based "Condition" clauses to filter the access, as shown in the policy example listed below, the selected Amazon OpenSearch domain is publicly accessible (i.e. accessible to everyone):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*" } ] }
06 Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:
aws es list-domain-names --region us-east-1 --query 'DomainNames[*].DomainName'
02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:
[ "trendmicro", "cloudconformity" ]
03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected domain:
aws es describe-elasticsearch-domain --region us-east-1 --domain-name trendmicro --query 'DomainStatus.AccessPolicies'
04 The command output should return the requested access policy document in JSON format:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*" } ] }
Check the policy document returned by the describe-elasticsearch-domain command output. If the "Effect" element value is set to "Allow", the "Principal" element value is set to "*" or {"AWS": "*"}, and the policy is not using IP-based "Condition" clauses to filter the access, as shown in the policy example listed above, the selected Amazon OpenSearch domain is publicly accessible.
05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.
06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To block public access to your Amazon ElasticSearch domains, perform the following actions:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Block Public Access via Domain Policy (Allow Access from Trusted IAM Identities Only)", "Resources": { "OpenSearchDomain": { "Type":"AWS::OpenSearchService::Domain", "Properties": { "DomainName": "cc-opensearch-domain", "EngineVersion": "OpenSearch_1.1", "ClusterConfig": { "InstanceType": "t3.small.search", "InstanceCount": "2" }, "EBSOptions": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": "50" }, "AccessPolicies": { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/os_manager" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*" } ] } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Block Public Access via Domain Policy (Allow Access from Trusted IAM Identities Only) Resources: OpenSearchDomain: Type: AWS::OpenSearchService::Domain Properties: DomainName: cc-opensearch-domain EngineVersion: OpenSearch_1.1 ClusterConfig: InstanceType: t3.small.search InstanceCount: '2' EBSOptions: EBSEnabled: true VolumeType: gp2 VolumeSize: '50' AccessPolicies: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/os_manager Action: es:* Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { region = "us-east-1" } resource "aws_opensearch_domain" "opensearch-domain" { domain_name = "cc-opensearch-domain" engine_version = "OpenSearch_1.1" cluster_config { instance_type = "t3.small.search" instance_count = 2 } ebs_options { ebs_enabled = true volume_size = 50 volume_type = "gp2" } # Block Public Access via Domain Policy (Allow Access from Trusted IAM Identities Only) access_policies = <<POLICY { "Version": "2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/os_manager" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*" } ] } POLICY }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
03 In the main navigation panel, under Dashboard, select Domains.
04 Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.
05 In the Access policy section, select the Configure domain level access policy option, choose the JSONtab, and perform one of the following actions based on your requirements:
- To disable the public access to the selected OpenSearch domain, delete the entire policy document listed in the Access policy editor box or remove just the policy statement that allows public access. Choose Save changes to apply the policy changes.
- To limit the access to a specific AWS account or IAM user, replace the "Principal" element value with the Amazon Resource Name (ARN) of the trusted AWS account, i.e.
{ "AWS": "arn:aws:iam::<aws-account-id>:root" }
or the IAM user, i.e.{ "AWS": "arn:aws:iam::<aws-account-id>:user/<user-name>" }
that should have access to the selected Amazon OpenSearch domain. Choose Save changes to apply the changes - To limit the domain access to a specific (trusted) IP address/IP range, add a "Condition" clause to the policy statement, i.e.
"Condition": { "IpAddress": { "aws:SourceIp": "<ipv4-address>" } }
, where<ipv4-address>
is the trusted IPv4 address that can access the OpenSearch domain. Choose Save changes to apply the policy changes.
06 Repeat steps no. 4 and 5 for each publicly accessible Amazon OpenSearch domain that you want to reconfigure, available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Modify the access policy attached to your Amazon OpenSearch domain and replace the "Principal" element value (i.e. "*") with the ARN of the trusted AWS account, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:root" }
or the IAM user, i.e. { "AWS": "arn:aws:iam::<aws-account-id>:user/<user-name>" }
that should have access to the selected OpenSearch domain. Save the policy document to a JSON file named trusted-access-policy.json. You can also add a "Condition" clause to the policy statement to limit the domain access to a specific (trusted) IP address/IP range only. As an example, the following access policy allows access to an IAM user identified by the ARN "arn:aws:iam::123456789012:user/os_manager":
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/os_manager" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*" } ] }
02 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to replace the existing access policy with the one modified at the previous step (i.e. trusted-access-policy.json):
aws es update-elasticsearch-domain-config --region us-east-1 --domain-name trendmicro --access-policies file://trusted-access-policy.json
03 The command output should return the configuration information available for the modified domain:
{ "DomainConfig": { "ElasticsearchVersion": { "Options": "7.9", "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "ElasticsearchClusterConfig": { "Options": { "InstanceType": "t3.small.elasticsearch", "InstanceCount": 3, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": false, "WarmEnabled": false, "ColdStorageOptions": { "Enabled": false } }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "EBSOptions": { "Options": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": 15 }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "SnapshotOptions": { "Options": { "AutomatedSnapshotStartHour": 0 }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, ... "AccessPolicies": { "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/os_manager\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}", "Status": { "CreationDate": "2022-01-04T11:10:20.249000+00:00", "UpdateDate": "2022-01-04T20:00:08.400000+00:00", "UpdateVersion": 38, "State": "Processing", "PendingDeletion": false } }, "CognitoOptions": { "Options": { "Enabled": false }, "Status": { "CreationDate": "2022-01-03T19:09:03.386000+00:00", "UpdateDate": "2022-01-03T19:09:03.386000+00:00", "UpdateVersion": 9, "State": "Active", "PendingDeletion": false } }, "EncryptionAtRestOptions": { "Options": { "Enabled": false }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "NodeToNodeEncryptionOptions": { "Options": { "Enabled": true }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T19:09:03.288000+00:00", "UpdateVersion": 9, "State": "Processing", "PendingDeletion": false } } } }
04 Repeat steps no. 1 – 3 for each publicly accessible Amazon OpenSearch domain that you want to reconfigure, available in the selected AWS region.
05 Change the AWS cloud region by updating the **--region** command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Creating and managing Amazon OpenSearch Service domains
- What is Amazon OpenSearch Service?
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain-config
- CloudFormation Documentation
- Amazon OpenSearch Service resource type reference
- Terraform Documentation
- AWS Provider