Profile Applicability:
- Level 1
Description:
This check ensures that Fine-Grained Access Control (FGAC) is enabled for your Amazon Elasticsearch/Opensearch Service domains. FGAC allows you to define precise access control at the index, document, and field levels, enabling granular permission management and enhancing security.
Rationale:
Enabling Fine-Grained Access Control (FGAC) enhances data protection by allowing access control at a very detailed level within the OpenSearch domain. This control ensures that only authorized users or roles can access specific indices, documents, or fields, which reduces the risk of unauthorized access and helps with compliance to data privacy regulations.
Impact:
By enabling FGAC, you can enforce the principle of least privilege, ensuring that users and applications only have access to the data they need. However, this configuration can add complexity as it requires careful planning and management of user roles and permissions. If not configured properly, it might restrict access or disrupt workflows.
Default Value:
Fine-Grained Access Control is disabled by default in Amazon Elasticsearch/OpenSearch domains.
Pre-Requisites:
An AWS account with sufficient permissions to manage OpenSearch domains.
A basic understanding of OpenSearch's security features, including user roles and access permissions.
Knowledge of your organization's access control policies and requirements.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to Amazon OpenSearch Service under the Services menu.
Click on Domains in the left-hand navigation panel.
Select the OpenSearch domain you want to check.
Under the Security section, check if Fine-Grained Access Control is enabled.
If Fine-Grained Access Control is enabled, you will see details about master users and role-based access controls.
If it is not enabled, you will see an option to enable FGAC and configure it.
Using AWS CLI:
Run the following command to describe the domain and check if Fine-Grained Access Control is enabled:
aws opensearch describe-domain --domain-name <your-domain-name>
Check the Advanced Security Options field in the response. Look for the Fine Grained Access Control setting:
{
"DomainStatus": {
"DomainName": "your-domain-name",
"AdvancedSecurityOptions": {
"Enabled": true,
"MasterUserOptions": {
"MasterUserName": "your-master-username"
},
"DomainEndpointOptions": {
"FineGrainedAccessControl": {
"Enabled": true
}
}
}
}
}If Fine Grained Access Control is enabled, the Enabled field will be set to true. If it is disabled, it will not appear or will be set to false.
Implementation Plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to Amazon OpenSearch Service.
Select the domain you wish to modify.
In the Security section, enable Fine-Grained Access Control.
Configure Master User credentials and role-based access controls for different users and groups.
Click Save to apply the configuration.
Using AWS CLI:
To enable Fine-Grained Access Control when creating a new domain, use the following command:
aws opensearch create-domain --domain-name <your-domain-name> --advanced-security-options "Enabled=true,MasterUserOptions={MasterUserName=<master-username>,MasterUserPassword=<master-password>}"
To enable it for an existing domain, use:
aws opensearch update-domain-config --domain-name <your-domain-name> --advanced-security-options "Enabled=true,MasterUserOptions={MasterUserName=<master-username>,MasterUserPassword=<master-password>}"Backout Plan:
If enabling Fine-Grained Access Control causes issues (e.g., access errors, performance degradation):
Identify the affected domain and review the access control configuration.
Revert the changes by disabling FGAC:
aws opensearch update-domain-config --domain-name <domain-name> --advanced-options plugin.security.enabled=false
Monitor the domain to ensure it functions correctly and access is restored.
