Restrict Public Access to OpenSearch Domains
Checks that OpenSearch domains are configured within a VPC and not publicly accessible, minimizing exposure to external threats.
| Rule | OpenSearch domains should not be publicly accessible |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Critical |
OpenSearch domains should not be publicly accessible for AWS Foundational Security Best Practices
Description:
OpenSearch domains, which are used for searching, analyzing, and visualizing data, should not be publicly accessible to avoid unauthorized access and potential security breaches. Allowing public access to OpenSearch domains can expose sensitive data and configuration information to threat actors, compromising the integrity and confidentiality of the data stored in the domain.
Troubleshooting Steps:
- 1.Check the access policies and settings of the OpenSearch domain to ensure that it is not publicly accessible.
- 2.Review the network configuration and security groups associated with the OpenSearch domain to verify that only authorized entities have access.
- 3.Monitor access logs and audit trails to detect any unauthorized access attempts to the OpenSearch domain.
Remediation Steps:
- 1.Access the AWS Management Console and navigate to the OpenSearch service.
- 2.Select the OpenSearch domain that needs to be secured and click on the "Modify access policy" option.
- 3.Update the access policy to restrict access to specific IP ranges, VPCs, or IAM roles that require access to the domain.
- 4.Ensure that the domain is not accessible from the public internet by configuring the network settings to only allow traffic from trusted sources.
- 5.Save the changes to apply the updated access policy and verify that the OpenSearch domain is no longer publicly accessible.
Relevant Code/CLI Commands:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "es:*",
"Resource": "arn:aws:es:region:account-id:domain/domain-name/*",
"Condition": {
"IpAddress": {
"NotIpAddress": {
"aws:SourceIp": [
"x.x.x.x/x",
"y.y.y.y/y"
]
}
}
}
}
]
}
CLI Commands:
- 1.To update the access policy of an OpenSearch domain:
aws es update-elasticsearch-domain-config --domain-name example-domain --access-policies file://access-policy.json
- 1.To configure network settings for an OpenSearch domain:
aws es update-elasticsearch-domain-config --domain-name example-domain --vpc-options SubnetIds=subnet-123456,SecurityGroupIds=sg-789012
By following these steps and implementing the provided code snippets, you can ensure that your OpenSearch domains are not publicly accessible, enhancing the security posture of your AWS environment.