iCompaas Support

Description:

Amazon OpenSearch Service (OpenSearch) domains use Kibana as the default web interface for managing and exploring data. Kibana can be accessed by anyone who knows the domain endpoint, which means that it is important to secure access to Kibana. You can do this by enabling either Amazon Cognito authentication or SAML authentication.

Rationale:

Enabling Amazon Cognito authentication or SAML authentication for Kibana helps to protect your data by requiring users to authenticate before they can access Kibana. This helps to prevent unauthorized users from accessing your data.

Impact:

Enabling Amazon Cognito authentication or SAML authentication for Kibana will prevent unauthorized users from accessing Kibana. This will help to protect your data from unauthorized access.

Default Value:

By default, Amazon OpenSearch Service domains do not have Amazon Cognito authentication or SAML authentication enabled for Kibana.

Pre-requisites:

To enable Amazon Cognito authentication or SAML authentication for Kibana, you will need to have:

• An Amazon Cognito user pool or identity pool
• A SAML identity provider

Remediation Steps:

To remediate this policy, you can follow these steps:

1. Enable Amazon Cognito authentication or SAML authentication for Kibana.
2. Test the authentication configuration to make sure that it is working properly.

Test Plan:

To test the authentication configuration, you can follow these steps:

1. Try to access Kibana without authenticating.
2. Try to access Kibana with the correct credentials.

Implementation Plan:

To implement this policy, you can follow these steps:

1. Enable Amazon Cognito authentication or SAML authentication for Kibana.
2. Update the access control policy for your OpenSearch Service domain to allow only authenticated users to access Kibana.

AWS CLI Process:

To enable Amazon Cognito authentication or SAML authentication for Kibana using the AWS CLI, you can follow these steps:

1. Install the AWS CLI.
2. Configure the AWS CLI with your AWS credentials.
3. Run the following command to enable Amazon Cognito authentication for Kibana:

aws es enable-cognito-authentication --domain-name <domain-name>

4. To enable SAML authentication for Kibana, run the following command:

aws es enable-saml-authentication --domain-name <domain-name>

Using AWS GUI:

To enable Amazon Cognito authentication or SAML authentication for Kibana using the AWS GUI, you can follow these steps:

1. Go to the Amazon OpenSearch Service console.
2. Click on the Domains tab.
3. Select the domain that you want to enable authentication for.
4. Click on the Settings tab.
5. Under the Security section, select the Amazon Cognito authentication or SAML authentication option.
6. Follow the instructions to configure the authentication.

Backout Plan:

To back out of this policy, you can follow these steps:

1. Disable Amazon Cognito authentication or SAML authentication for Kibana.
2. Update the access control policy for your OpenSearch Service domain to allow anyone to access Kibana.

Note:

• This policy is applicable to all Amazon OpenSearch Service domains.
• The default value for this policy is that Amazon Cognito authentication or SAML authentication is not enabled for Kibana.
• The reference for this policy is the following AWS documentation: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/cognito-auth.html

Section 2:

• Tags: opensearch, security, authentication, authorization
• Keywords: amazon cognito, saml, kibana