Profile Applicability:

  • Level 1


Description:

This control ensures that Amazon OpenSearch (formerly Elasticsearch) Service domains are not publicly accessible over the internet and do not have open access policies (such as Principal: "*") that allow unrestricted access. Restricting public and open access ensures that only trusted users, VPCs, or IAM entities can connect to your OpenSearch domain, significantly reducing the risk of unauthorized access, data leakage, or service abuse.


Rationale:

Publicly accessible OpenSearch domains with open access policies can be exploited by attackers to exfiltrate data or manipulate search indices. Restricting access to private networks (VPCs) and enforcing IAM-based or fine-grained access control helps protect sensitive data, maintain compliance, and safeguard the integrity of search services.


Impact:

  • Positive Impact:Prevents unauthorized external access to the OpenSearch domain.Ensures compliance with data protection and privacy standards (e.g., CIS, SOC 2, ISO 27001).Reduces the attack surface of the environment.
  • Negative Impact:Restricting access to specific VPCs or IAM roles may require additional configuration for legitimate access (e.g., developers or applications outside the VPC).


Default Value:

By default, OpenSearch domains can be publicly accessible if configured during creation. The access policy must be explicitly restricted to avoid open or public access.


Pre-Requisite:

  • IAM permissions: es:DescribeDomain, es:UpdateDomainConfig, and es:DescribeElasticsearchDomainConfig.

  • Access to AWS Management Console or AWS CLI.

  • Understanding of your environment’s VPC setup and IAM access structure.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon OpenSearch Service → Domains.

  3. Select the domain to review.

  4. Under the Network configuration section, verify:

    • The domain is associated with a VPC (VPC access enabled).

    • The Public access option is disabled.

  5. Under Access policy, ensure that:

    • There is no "Principal": "*" or "Effect": "Allow" applied to all users.

    • Access is limited to specific IAM users, roles, or trusted services.


Implementation Plan

Using AWS Console:

  1. Navigate to Amazon OpenSearch Service → Domains → [Your Domain].

  2. Under Network configuration, ensure:

    • Public access is set to Disabled.

    • The domain is deployed inside a VPC.

  3. Under the Access policy section:

    • Click Edit access policy.

    • Replace any open access policy with one that restricts access.

  4. Save changes and validate the configuration.


Backout Plan

Using AWS Console:

  1. Navigate to Amazon OpenSearch Service → Domains → [Your Domain].

  2. Revert the access policy to the previous version if necessary.

  3. Ensure the domain’s endpoint accessibility (private/public) aligns with your operational requirements.

References: