--- policy: /ce/ca/aws/opensearch/domain-fine-grained-access-control logic: /ce/ca/aws/opensearch/domain-fine-grained-access-control/prod.logic.yaml executionTime: 2026-04-25T12:03:29.253886672Z generationMs: 75 executionMs: 2024 rows: - id: test1 match: true status: expected: UNDETERMINED actual: UNDETERMINED conditionIndex: expected: 101 actual: 101 conditionText: expected: CA10__advancedSecurityEnabled__c.isEmpty() actual: CA10__advancedSecurityEnabled__c.isEmpty() runtimeError: {} - id: test2 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__advancedSecurityEnabled__c') == 'false' actual: extract('CA10__advancedSecurityEnabled__c') == 'false' runtimeError: {} - id: test3 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__advancedSecurityEnabled__c') == 'true' actual: extract('CA10__advancedSecurityEnabled__c') == 'true' runtimeError: {} usedFiles: - path: /ce/ca/aws/opensearch/domain-fine-grained-access-control/policy.yaml md5Hash: 346B81DBE8DF66042D802D3AE8D58317 content: | --- names: full: "AWS OpenSearch Domain fine-grained access control is not enabled" contextual: "Domain fine-grained access control is not enabled" description: > Ensure that fine-grained access control is enabled for Amazon OpenSearch Service domains to enforce authenticated, least-privilege access to indexes, documents, fields, and APIs. type: "COMPLIANCE_POLICY" categories: - "SECURITY" frameworkMappings: - "/frameworks/cloudaware/resource-security/secure-access" - "/frameworks/aws-fsbp-v1.0.0/opensearch/07" similarPolicies: awsSecurityHub: - name: "[Opensearch.7] OpenSearch domains should have fine-grained access control enabled" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-7" - path: /ce/ca/aws/opensearch/domain-fine-grained-access-control/prod.logic.yaml md5Hash: DD655A89D54B0649644C2958419E18EF content: | --- inputType: "CA10__CaAwsElasticsearchDomain__c" testData: - file: "test-data.json" importExtracts: - file: "/types/CA10__CaAwsElasticsearchDomain__c/object.extracts.yaml" conditions: - status: "INCOMPLIANT" currentStateMessage: "Fine-grained access control is not enabled for the OpenSearch domain." remediationMessage: "Enable fine-grained access control and configure a master user or identity provider for the OpenSearch domain." check: IS_EQUAL: left: EXTRACT: "CA10__advancedSecurityEnabled__c" right: TEXT: "false" - status: "COMPLIANT" currentStateMessage: "Fine-grained access control is enabled for the OpenSearch domain." check: IS_EQUAL: left: EXTRACT: "CA10__advancedSecurityEnabled__c" right: TEXT: "true" otherwise: status: "UNDETERMINED" currentStateMessage: "Unexpected value in the field." - path: /ce/ca/aws/opensearch/domain-fine-grained-access-control/test-data.json md5Hash: D2F02B3447AF923F51BDFEBFE631D71F content: | [ { "expectedResult": { "status": "UNDETERMINED", "conditionIndex": "101", "conditionText": "CA10__advancedSecurityEnabled__c.isEmpty()", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__advancedSecurityEnabled__c": "", "Id": "test1" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "extract('CA10__advancedSecurityEnabled__c') == 'false'", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__advancedSecurityEnabled__c": "false", "Id": "test2" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__advancedSecurityEnabled__c') == 'true'", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10__disappearanceTime__c": null, "CA10__advancedSecurityEnabled__c": "true", "Id": "test3" } ] - path: /types/CA10__CaAwsElasticsearchDomain__c/object.extracts.yaml md5Hash: C9B19E0A5971D32C19DFC4DEEA0D39EC content: | --- extracts: # Values: true | false (TEXT). Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__created__c" value: FIELD: path: "CA10__created__c" # Values: true | false (TEXT). Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__serviceSoftwareUpdateAvailable__c" value: FIELD: path: "CA10__serviceSoftwareUpdateAvailable__c" undeterminedIf: isEmpty: "The service software update status is not populated in the CMDB." # Values: true | false (TEXT). Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__advancedSecurityEnabled__c" value: FIELD: path: "CA10__advancedSecurityEnabled__c" undeterminedIf: isEmpty: "The fine-grained access control setting is not populated in the CMDB." # Checkbox - name: "CA10__encryptionAtRestEnabled__c" value: FIELD: path: "CA10__encryptionAtRestEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__endpoint__c" value: FIELD: path: "CA10__endpoint__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__vpcEndpoints__c" value: FIELD: path: "CA10__vpcEndpoints__c" # Checkbox - name: "CA10__nodeToNodeEncryptionEnabled__c" value: FIELD: path: "CA10__nodeToNodeEncryptionEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__logPublishingOptionsJson__c" value: FIELD: returnType: "BYTES" path: "CA10__logPublishingOptionsJson__c" - name: "caJsonFrom__logPublishingOptionsJson__c" value: JSON_FROM: arg: EXTRACT: "CA10__logPublishingOptionsJson__c" undeterminedIf: isInvalid: "Log Publishing Options JSON is invalid." # Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigInstanceCount__c" value: FIELD: path: "CA10__clusterConfigInstanceCount__c" # Not nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigZoneAwarenessEnabled__c" value: FIELD: path: "CA10__clusterConfigZoneAwarenessEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigDedicatedMasterEnabled__c" value: FIELD: path: "CA10__clusterConfigDedicatedMasterEnabled__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__clusterConfigDedicatedMasterCount__c" value: FIELD: path: "CA10__clusterConfigDedicatedMasterCount__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__endpointOptionsEnforceHttps__c" value: FIELD: path: "CA10__endpointOptionsEnforceHttps__c" # Nullable. Can't have no access retrieved via es:DescribeDomains - name: "CA10__endpointOptionsTlsSecurityPolicy__c" value: FIELD: path: "CA10__endpointOptionsTlsSecurityPolicy__c" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "UNDETERMINED", "conditionIndex" : "101", "conditionText" : "CA10__advancedSecurityEnabled__c.isEmpty()", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "extract('CA10__advancedSecurityEnabled__c') == 'false'", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__advancedSecurityEnabled__c') == 'true'", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsElasticsearchDomain__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__advancedSecurityEnabled__c" : "", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__advancedSecurityEnabled__c" : "false", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10__advancedSecurityEnabled__c" : "true", "Id" : "test3" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsElasticsearchDomain__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__advancedSecurityEnabled__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__advancedSecurityEnabled__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__advancedSecurityEnabled__c.isEmpty()", currentStateMessage: "The fine-grained access control setting is not populated in the CMDB.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__advancedSecurityEnabled__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Advanced Security: Enabled [obj.CA10__advancedSecurityEnabled__c]: ' + obj.CA10__advancedSecurityEnabled__c); try { if (TextLib.equal(extract3.call(extract3), 'false')) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__advancedSecurityEnabled__c') == 'false'", currentStateMessage: "Fine-grained access control is not enabled for the OpenSearch domain.", currentStateReferences: references1.join('\n'), remediation: "Enable fine-grained access control and configure a master user or identity provider for the OpenSearch domain.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function fieldChecked7() { if (TextLib.isEmpty(obj.CA10__advancedSecurityEnabled__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__advancedSecurityEnabled__c.isEmpty()", currentStateMessage: "The fine-grained access control setting is not populated in the CMDB.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__advancedSecurityEnabled__c; } function extract6() { if (!this.out) { this.out = fieldChecked7(); } return this.out; }; try { if (TextLib.equal(extract6.call(extract6), 'true')) { return {status: 'COMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__advancedSecurityEnabled__c') == 'true'", currentStateMessage: "Fine-grained access control is enabled for the OpenSearch domain.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'UNDETERMINED', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "Unexpected value in the field.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__advancedSecurityEnabled__c AS CA10__advancedSecurityEnabled__c, sObject.Id AS Id, process_CA10__CaAwsElasticsearchDomain__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__advancedSecurityEnabled__c AS CA10__advancedSecurityEnabled__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsElasticsearchDomain__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;