Check for IP-Based Access

Risk Level: Very High (not tolerated)

Ensure that the access to your Amazon OpenSearch domains is made through approved IP addresses only in order to protect domains against unauthorized access. Before this rule runs, the list with the approved IP addresses/IP ranges must be configured in the rule settings, on your TrendAI Vision One™ Cloud Risk Management Dashboard.

Security

Using OpenSearch IP-based access policies will allow only specific IP addresses or IP address ranges to access your Amazon OpenSearch domain endpoints, acting as a firewall that prevents incoming anonymous or unauthorized requests from reaching your OpenSearch domains (clusters).

Audit

To determine if your OpenSearch domains are using IP-based access policies, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
In the main navigation panel, under Dashboard, select Domains.
Click on the name (link) of the OpenSearch domain that you want to examine.
Select the Security configuration tab and check the policy available in the Access policy section. If the policy "Condition" element does not contain a specific IP address, a comma-separated list of IP addresses, or an IP address range, or the policy does not use "Condition" clauses, the selected Amazon OpenSearch domain is not implementing an IP-based access policy.
Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:
```
aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'
```
The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:
```
[
    "trendmicro",
    "example"
]
```
Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected domain:
```
aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.AccessPolicies'
```
The command output should return the access policy document in JSON format:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*"
        }
    ]
}
```
If the access policy returned by the describe-elasticsearch-domain command output does not have any IP-based "Condition" clauses, as shown in the example above, or the "Condition" element does not include a specific IP address, a comma-separated list of IP addresses, or an IP address range, the selected Amazon OpenSearch domain is not using an IP-based access policy to filter the incoming requests.
Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.
Change the AWS cloud region by updating the **--region** command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement an IP-based access policy for your Amazon OpenSearch domains, perform the following operations:

Using AWS CloudFormation

CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Implement IP-Based Access via Domain Policy",
    "Resources": {
    "OpenSearchDomain": {
        "Type":"AWS::OpenSearchService::Domain",
        "Properties": {
            "DomainName": "cc-opensearch-domain",
            "EngineVersion": "OpenSearch_1.1",
            "ClusterConfig": {
                "InstanceType": "t3.small.search",
                "InstanceCount": "2"
            },
            "EBSOptions": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": "50"
            },
            "AccessPolicies": {
                "Version":"2012-10-17",
                "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                    "AWS": "*"
                    },
                    "Action": "es:*",
                    "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*",
                    "Condition": {
                    "IpAddress": {
                        "aws:SourceIp": "10.0.0.5/32"
                    }
                    }
                }
                ]
            }
        }
        }
    }
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Implement IP-Based Access via Domain Policy
    Resources:
        OpenSearchDomain:
        Type: AWS::OpenSearchService::Domain
        Properties:
            DomainName: cc-opensearch-domain
            EngineVersion: OpenSearch_1.1
            ClusterConfig:
            InstanceType: t3.small.search
            InstanceCount: '2'
            EBSOptions:
            EBSEnabled: true
            VolumeType: gp2
            VolumeSize: '50'
            AccessPolicies:
            Version: '2012-10-17'
            Statement:
                - Effect: Allow
                Principal:
                    AWS: '*'
                Action: es:*
                Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*
                Condition:
                    IpAddress:
                    aws:SourceIp: 10.0.0.5/32

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 4.0"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
    domain_name = "cc-opensearch-domain"
    engine_version = "OpenSearch_1.1"

    cluster_config {
        instance_type = "t3.small.search"
        instance_count = 2
    }

    ebs_options {
        ebs_enabled = true
        volume_size = 50
        volume_type = "gp2"
    }

    # Implement IP-Based Access via Domain Policy
    access_policies = <<POLICY
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "*"
                },
                "Action": "es:*",
                "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*",
                "Condition": {
                    "IpAddress": {
                        "aws:SourceIp": "10.0.0.5/32"
                    }
                }
            }
        ]
    }
    POLICY

}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
In the main navigation panel, under Dashboard, select Domains.
Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.
In the Access policy section, select the Configure domain level access policy option, choose the Visual editor tab, and perform the following actions:
1. To limit the domain access to a specific (trusted) IP address only, select IPv4 address from the Type dropdown list, enter the trusted IPv4 address in the Principal field (e.g. 10.0.0.5/32), and choose Allow from the Action dropdown list.
2. To restrict the domain access to specific (trusted) IP ranges only, select IPv4 address from the Type dropdown list, enter the trusted IPv4 address range in the Principal field (e.g. 10.0.15.0/24), and choose Allow from the Action dropdown list.
3. Choose Save changes to apply the policy changes.
Repeat steps no. 4 and 5 to implement IP-based access for other Amazon OpenSearch domains available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

Redefine the access policy attached to your Amazon OpenSearch domain and save the policy document to a JSON file named ipv4-based-access-policy.json. The following example contains an OpenSearch access policy that allows access to a specific (approved) IPv4 address only (i.e. 10.0.0.5/32), using the "Condition" clause (highlighted):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.5/32"
                }
            }
        }
    ]
}

Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to replace the existing access policy with the one defined at the previous step (i.e. ipv4-based-access-policy.json):
```
aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --access-policies file://ipv4-based-access-policy.json
```

The command output should return the configuration information available for the modified domain:

{
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "t3.small.elasticsearch",
                "InstanceCount": 3,
                "DedicatedMasterEnabled": false,
                "ZoneAwarenessEnabled": false,
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 15
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "AccessPolicies": {
            "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"10.0.0.5/32\"}}}]}",
            "Status": {
                "CreationDate": "2022-01-04T11:10:20.249000+00:00",
                "UpdateDate": "2022-01-04T20:00:08.400000+00:00",
                "UpdateVersion": 38,
                "State": "Processing",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EncryptionAtRestOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "NodeToNodeEncryptionOptions": {
            "Options": {
                "Enabled": true
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.288000+00:00",
                "UpdateVersion": 9,
                "State": "Processing",
                "PendingDeletion": false
            }
        }
    }
}

Repeat steps no. 1 – 3 to implement IP-based access for other Amazon OpenSearch domains available in the selected AWS region.
Change the AWS cloud region by updating the **--region** command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Amazon OpenSearch Service FAQs
Creating and managing Amazon OpenSearch Service domains
What is Amazon OpenSearch Service?

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
update-elasticsearch-domain-config

CloudFormation Documentation
Amazon OpenSearch Service resource type reference

Terraform Documentation
AWS Provider

Publication date May 31, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related Elasticsearch rules