Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon OpenSearch Service (formerly Amazon Elasticsearch Service) domains are not publicly accessible over the internet. Publicly accessible OpenSearch/Elasticsearch endpoints expose sensitive data, configuration information, and operational metadata to unauthorized users. Restricting access ensures that only trusted internal networks, applications, or VPN connections can interact with the domain securely. 

Rationale:

OpenSearch domains often store business-critical logs, analytics data, and application telemetry. Exposing these domains to the public internet makes them susceptible to unauthorized access, brute-force attacks, or data exfiltration. Restricting access to internal networks or using fine-grained access control mechanisms (such as VPC endpoints or IP-based access policies) mitigates these risks and aligns with the principle of least privilege. This is a critical control for compliance with CIS, ISO 27001, SOC 2, and NIST 800-53. 

Impact:

  • Positive Impact: Prevents data leakage, unauthorized access, and exposure of analytics infrastructure by ensuring that OpenSearch/Elasticsearch domains are accessible only via private networks or authorized IPs.

  • Negative Impact: Applications or users outside the private network will require VPN or proxy-based access to reach the domain. 

Default Value:

By default, new OpenSearch domains can be configured for either public or VPC access, and must be manually restricted if public access is enabled. 

Pre-Requisite:

  • IAM permissions required: es:DescribeDomain, es:UpdateDomainConfig.
  • Defined VPC configuration or CIDR-based access control for authorized networks.

Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon OpenSearch Service → Domains.

  3. Select the domain to inspect.

  4. Under the Network configuration, check the Access type:

    • If the domain is associated with a VPC, it is private.

    • If the domain has a public endpoint (e.g., https://vpc-domain-name.region.es.amazonaws.com), it is publicly accessible.

  5. Verify the Access Policy:

    • Ensure that no policy contains "Effect": "Allow" with "Principal": "*", which grants public access.

  6. If the domain is publicly accessible or has a permissive access policy, it is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Navigate to Amazon OpenSearch Service → Domains.

  2. Select the non-compliant domain.

  3. Under the Network configuration, edit the domain settings to:

    • Associate the domain with a VPC instead of public access.

    • Configure access through security groups, subnets, and private IPs.

  4. Modify the Access Policy:

    • Remove any "Principal": "*" entries.

    • Restrict access using IAM roles, AWS services, or specific IP CIDR blocks.
      Example of a restrictive access policy:

  5. Save the changes and validate domain connectivity within the private VPC.

Backout Plan:

Using AWS Console:

  1. If business applications lose access after making the domain private, temporarily allow access from specific IP ranges while transitioning the system to a VPN, VPC peering, or AWS PrivateLink connection.
  2. Review and revert changes only after confirming secure connectivity from authorized systems.


References: