Profile Applicability:

  • Level 1

Description:

Amazon Elasticsearch Service (Amazon OpenSearch Service) is a fully managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the cloud. Kibana is an open-source analytics and visualization platform that runs on top of Elasticsearch/OpenSearch and is commonly used to visualize data and monitor logs. To secure access to Kibana, you can enable Amazon Cognito or SAML authentication to ensure that only authorized users can access sensitive data. This SOP outlines the steps to check if either Amazon Cognito or SAML authentication is enabled for Kibana in Amazon Elasticsearch/OpenSearch Service domains.

Rationale:

Securing access to Kibana is essential to ensure that only authorized users can interact with your Elasticsearch/OpenSearch data. Using Amazon Cognito or SAML-based authentication provides a robust way to manage user access. Amazon Cognito offers easy integration with AWS services for user authentication, while SAML allows integration with existing enterprise identity providers. Ensuring that one of these authentication methods is enabled helps maintain access control and security in your Elasticsearch/OpenSearch domains.

Impact:

If neither Amazon Cognito nor SAML authentication is enabled for Kibana:

  • Unauthorized users may gain access to sensitive data.

  • There may be potential security breaches if external access is not controlled.

  • Non-compliance with organizational or regulatory security standards could result.

  • Lack of centralized access management.

Default Value:

By default, Kibana on Amazon Elasticsearch/OpenSearch Service does not have Amazon Cognito or SAML authentication enabled. It requires explicit configuration to enable either of these authentication mechanisms.

Pre-requisites:

  • Access to the AWS Management Console or AWS CLI with necessary permissions.

  • Existing Amazon Elasticsearch/OpenSearch domains.

  • Knowledge of the Elasticsearch/OpenSearch Service domain configuration, specifically Kibana and security settings.

Test Plan:

Using AWS Console:

  1. Go to the Amazon OpenSearch Service section of the AWS Management Console.

       

  1. Select the domain you wish to check.

       

  1. Under the Security section, check the Kibana settings:

    • If Amazon Cognito authentication is enabled, it will be listed in the Kibana authentication settings.

 

  • If SAML authentication is enabled, it will also appear in the same section.

  1. If neither authentication method is enabled, consider configuring one of these methods for better security.

Using AWS CLI:

Use the following command to describe the domain and check the Kibana configuration:

aws opensearch describe-domain --domain-name <domain-name>

  1. In the output, review the AdvancedSecurityOptions section. Look for settings under KibanaAuthentication:

    • If Amazon Cognito authentication is enabled, it will show information related to Cognito user pool settings.

    • If SAML authentication is enabled, you will see the SAML configuration details.

  2. If neither authentication method is enabled, you will need to configure it.

Implementation Plan:

Using AWS Console:

  1. Open the Amazon OpenSearch Service console.

   

  1. select the domain for which you want to enable authentication.

       

  1. Go to the Security section of the domain configuration.

  2. If you want to enable Amazon Cognito authentication

   

  1. To enable SAML authentication, select SAML authentication and configure the connection to your identity provider (IdP), providing the required SAML metadata and settings.

     

  1. Save the changes.

Using AWS CLI:

Use the following command to describe the domain and check its current Kibana authentication settings:

aws opensearch describe-domain --domain-name <domain-name

If Amazon Cognito authentication is not enabled, you can enable it by running:

aws opensearch update-domain-config --domain-name <domain-name> --advanced-security-options "Enabled=true,CognitoUserPoolId=<UserPoolId>,CognitoIdentityPoolId=<IdentityPoolId>,CognitoRoleArn=<RoleArn>"

If SAML authentication is not enabled, you can configure it by running:

aws opensearch update-domain-config --domain-name <domain-name> --advanced-security-options "Enabled=true,SamlMetadata=<SamlMetadataUrl>,SamlRoleMapping=<RoleMapping>"

  1. Confirm that the new settings are applied by describing the domain again.

Backout Plan:

If enabling Cognito or SAML authentication causes issues (e.g., login failures, access issues):

  1. Identify the affected domain and review the authentication settings.

  2. Revert the changes by disabling the authentication method:

For Cognito:

aws opensearch update-domain-config --domain-name <domain-name> --advanced-options "kibana_security_config="

For SAML:

aws opensearch update-domain-config --domain-name <domain-name> --advanced-options "kibana_security_config="

  1. Monitor the domain to ensure it is functioning correctly and that access is restored.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.