Ensure OpenSearch should have IAM permissions restricted

It is recommended to not allow unrestricted access to OpenSearch, Access to information and application system functions shall be restricted in accordance with the access control policy.

Risk Level: Low
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.AWS.IAM.91
Covered by Spectral: Yes
Category: Analytics

GSL LOGIC

ElasticSearchDomain should not have accessPolicies.Statement contain [ Effect='Allow' and ( Principal.AWS='*' ) ]

REMEDIATION

From Portal

  1. Go to OpenSearch console : https://docs.aws.amazon.com/opensearch-service
  2. Click on 'Domains'
  3. Select the incompliant domain name
  4. Navigate to Security configuration and click on Edit
  5. Under 'Access policy' edit the JSON file with the permitted principles only.
  6. Click 'Save changes'

From Command Line
To change the specified access policy from a specified domain, run:

aws es update-elasticsearch-domain-config --domain-name DOMAIN_NAME --access-policies file://POLICY.json

References

  1. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html
  2. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html
  3. https://docs.aws.amazon.com/cli/latest/reference/opensearch/update-domain-config.html

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset