Restrict Public Access to OpenSearch Domains

Evaluates whether OpenSearch domains are configured within a VPC and not publicly accessible, aligning with best practices for network security.

Rule	OpenSearch domains should not be publicly accessible
Framework	PCI v3.2.1
Severity	✔ Critical

Rule Description

OpenSearch domains should not be publicly accessible to ensure compliance with PCI v3 standards. Publicly accessible domains may pose a security risk by allowing unauthorized access to sensitive data.

Troubleshooting Steps

1.
Verify the network security settings for the OpenSearch domain

2.
Check the domain configuration for any misconfigurations

3.
Review access control settings to ensure proper restrictions are in place

Remediation Steps

To remediate the issue of OpenSearch domains being publicly accessible, follow these steps:

Step 1: Modify Network Access Control

Adjust the network access control settings to restrict access to the OpenSearch domain. Use the following CLI command to update the security group rules:

aws ec2 authorize-security-group-ingress --group-id your-security-group-id --protocol tcp --port 443 --cidr your-allowed-IP-range

Replace

your-security-group-id

with the actual ID of the security group associated with the OpenSearch domain, and

your-allowed-IP-range

with the IP address range that should have access.

Step 2: Enable VPC Endpoints

Utilize VPC endpoints to allow private access to the OpenSearch domain within the Virtual Private Cloud. Create an endpoint service for OpenSearch using the AWS CLI:

aws ec2 create-vpc-endpoint-service-configuration --network-load-balancer-arns your-load-balancer-arn --acceptance-required

Replace

your-load-balancer-arn

with the ARN of the load balancer associated with the OpenSearch domain.

Step 3: Update IAM Policies

Adjust the IAM policies to control access to the OpenSearch domain. Limit permissions to only authorized users or services. Modify the policy using the AWS IAM console or CLI:

aws iam put-role-policy --role-name your-role-name --policy-name your-policy-name --policy-document file://your-policy-document.json

Replace

your-role-name

your-policy-name

, and

your-policy-document.json

with the appropriate values for your environment.

Conclusion

By following these remediation steps, you can secure the OpenSearch domain and ensure compliance with the PCI v3 standards. Regularly monitor and review the security settings to prevent unauthorized access to sensitive data.

Restrict Public Access to OpenSearch Domains

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Remediation Steps

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 1: Modify Network Access Control

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 2: Enable VPC Endpoints

.css-1ekaeh4{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:22px;font-weight:700;margin-top:1rem;margin-bottom:0rem;}Step 3: Update IAM Policies

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Conclusion

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps

Remediation Steps

Step 1: Modify Network Access Control

Step 2: Enable VPC Endpoints

Step 3: Update IAM Policies

Conclusion

Is your System Free of Underlying Vulnerabilities?
Find Out Now