Skip to main content

πŸ›‘οΈ AWS OpenSearch Domain fine-grained access control is not enabled🟒

  • Contextual name: πŸ›‘οΈ Domain fine-grained access control is not enabled🟒
  • ID: /ce/ca/aws/opensearch/domain-fine-grained-access-control
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS OpenSearch Domains that do not have fine-grained access control enabled.

Fine-grained access control in Amazon OpenSearch Service adds authentication and authorization controls at the index, document, field, and API level. It allows you to define a master user, map users and backend roles to OpenSearch roles, and limit what identities can view or modify within the domain. This provides stronger protection than relying only on network placement or coarse domain access policies.

Rationale​

Enabling fine-grained access control helps enforce least-privilege access to search clusters that often contain sensitive operational, application, or business data. Without it, users and applications that can reach the domain may receive broader access than necessary, increasing the risk of unauthorized data exposure, destructive changes, and privilege misuse.

Impact​

Enabling fine-grained access control is a security architecture change and should be planned carefully. It requires HTTPS, encryption at rest, and node-to-node encryption. Existing access policies, Dashboards access, and application authentication flows might need to be updated to avoid access disruptions. After fine-grained access control is enabled, it cannot be disabled on the existing domain.

... see more

Remediation​

Open File

Remediation​

Enable Fine-Grained Access Control​

Fine-grained access control requires the following security settings on the domain:

Decide whether the domain will use the internal user database or an external identity source such as IAM or SAML. Configure a master user and review the domain access policy so it does not conflict with the fine-grained authorization model.

Option 1: Use the Internal User Database​

Enable fine-grained access control and configure an internal master user:

aws opensearch update-domain-config \
    --domain-name {{domain-name}} \
    --domain-endpoint-options EnforceHTTPS=true \
    --encryption-at-rest-options Enabled=true \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.7] OpenSearch domains should have fine-grained access control enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access56no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)32no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3789no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)22no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)81185no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)89no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)32no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)89no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-5 Separation of Duties (M)(H)22no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6 Least Privilege (M)(H)685no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties138no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected190no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage128no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15565no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(7) Access Enforcement _ Role-based Access Control36no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3(15) Access Enforcement _ Discretionary and Mandatory Access Control27no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-5 Separation of Duties22no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-6 Least Privilege102378no data