Description:

Amazon Elasticsearch/OpenSearch Service provides an internal user database that can be used for authenticating users without relying on external identity providers. This feature allows administrators to define and manage users directly within the service, simplifying access control for clusters.

This check ensures that the internal user database is enabled on Amazon Elasticsearch/OpenSearch domains, which allows the management of user authentication and access permissions natively within the service.

Rationale:

  • Security Control: Enabling the internal user database allows better control over user authentication and permissions directly within the domain.

  • Simplified User Management: Manage users and roles without relying on external identity providers or integrating with complex authentication mechanisms.

  • Enhanced Access Control: Supports fine-grained access control (FGAC) for better data protection.

  • Compliance: Helps meet security and compliance requirements, including SOC 2HIPAA, and GDPR.

Impact:

  • Pros:

    • Provides an additional layer of authentication and access control.

    • Simplifies user management directly within the Elasticsearch/OpenSearch domain.

    • Enhances security by enabling fine-grained access control (FGAC).

  • Cons:

    • Managing user accounts internally may not scale well for large teams.

    • Increased administrative overhead if used alongside external identity providers.

    • Potential for configuration drift if user access is not regularly reviewed.

Default Value:

  • The internal user database is disabled by default when creating an Amazon Elasticsearch/OpenSearch domain.

  • Fine-Grained Access Control needs to be explicitly enabled to use the internal user database.

Pre-Requisites:

  • IAM Permissions:

    • es:DescribeElasticsearchDomain

    • es:UpdateElasticsearchDomainConfig

    • es:DescribeDomainConfig

  • AWS CLI installed and configured.

  • Access to OpenSearch Dashboards or Kibana (if enabled) for user and role management.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to: Amazon Elasticsearch/OpenSearch Service → Domains.

  3. Select the domain you want to audit.

  4. In the left panel, go to Security → Fine-Grained Access Control.

  5. Check if Fine-Grained Access Control is enabled:

    • If enabled, check if Internal User Database is turned on.

  6. Pass Criteria:

    • Fine-Grained Access Control is enabled.

    • Internal User Database is enabled.

Using AWS CLI:

List All Elasticsearch/OpenSearch Domains:

aws es list-domain-names

Describe Each Domain's Configuration:

aws es describe-elasticsearch-domain --domain-name <your-domain-name>

Check Fine-Grained Access Control Settings:

aws es describe-elasticsearch-domain-config --domain-name <your-domain-name> --query "DomainConfig.AdvancedSecurityOptions.Options"

Expected Output:

{
  "Enabled": true,
  "InternalUserDatabaseEnabled": true
}

  1. Pass Criteria:

    • "Enabled": true (Fine-Grained Access Control is enabled)

    • "InternalUserDatabaseEnabled": true (Internal User Database is enabled)

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Console and go to Elasticsearch/OpenSearch Service.

  2. Select the domain that requires remediation.

  3. Navigate to Security Configuration → Fine-Grained Access Control.

  4. Enable Fine-Grained Access Control (if not already enabled).

  5. Enable Internal User Database.

  6. Save Changes and allow the domain to update (this may take several minutes).

Using AWS CLI:

Enable Fine-Grained Access Control with Internal User Database:

aws es update-elasticsearch-domain-config \
  --domain-name <your-domain-name> \
  --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true

Verify Configuration:

aws es describe-elasticsearch-domain-config --domain-name <your-domain-name> --query "DomainConfig.AdvancedSecurityOptions.Options"

  1. Pass Criteria:

    • "Enabled": true

    • "InternalUserDatabaseEnabled": true

Backout Plan:

To Disable Internal User Database:

aws es update-elasticsearch-domain-config \
  --domain-name <your-domain-name> \
  --advanced-security-options InternalUserDatabaseEnabled=false

To Fully Disable Fine-Grained Access Control (if needed):

aws es update-elasticsearch-domain-config \
  --domain-name <your-domain-name> \
  --advanced-security-options Enabled=false

References:

  1. Amazon OpenSearch Service – Fine-Grained Access Control

  2. AWS CLI – Elasticsearch/OpenSearch Service

  3. Amazon OpenSearch Security Plugin

CIS Controls:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

6.8

Define and Maintain Role-Based Access Control – Manage access rights.

v8

8.5

Collect Detailed Audit Logs – Enable detailed logging for critical assets.

v7

14.6

Protect Information Through Access Control Lists – Apply least privilege.