🛡️ AWS OpenSearch Domain has a public endpoint🟢

Contextual name: 🛡️ Domain has a public endpoint🟢
ID: /ce/ca/aws/opensearch/domain-vpc-endpoint
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 AWS OpenSearch Domain
- 🔌 AWS OpenSearch Domain - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Opensearch.2] OpenSearch domains should not be publicly accessible
AWS Security Hub: [ES.2] Elasticsearch domains should not be publicly accessible

Description

Description

This policy identifies AWS OpenSearch Domains that are configured with a public endpoint, making them accessible from the internet instead of being deployed within a VPC, which provides an additional layer of network security.

Rationale

Hosting OpenSearch domains within a VPC isolates them from the public internet and allows you to control access using security groups and network ACLs. Conversely, exposing an OpenSearch domain through a public endpoint increases its attack surface, making it more susceptible to unauthorized access, data exfiltration, and denial-of-service (DoS) attacks.

Impact

Even when protected by fine-grained access control policies, a public endpoint remains a less secure configuration compared to VPC isolation.

Remediation requires re-creating the domain within a VPC and migrating data from the existing public domain to the new, VPC-based one.

Audit

This policy flags an AWS OpenSearch Domain as INCOMPLIANT if the Endpoint field is not empty, indicating that the domain is configured with a public endpoint and does not reside within a VPC.

Remediation

Open File

Remediation

OpenSearch Domain Migration: Public to VPC

Prerequisites

Existing snapshot repository registered and functional

IAM roles & permissions already configured for snapshot operations

S3 bucket with appropriate access policies

VPC infrastructure prepared (subnets, security groups, route tables)

Application team engaged for coordinated cutover

Migration Steps

1. Create a Snapshot

Take a manual snapshot from the existing public domain:
curl -XPUT -u {{master-username}}:{{password}} \
"https://{{public-endpoint}}/_snapshot/{{existing-repository}}/migration-$(date +%Y%m%d-%H%M)" \
?wait_for_completion=true
Verification:
curl -XGET -u {{master-username}}:{{password}} \
"https://{{public-endpoint}}/_snapshot/{{existing-repository}}/_all"
2. Provision VPC Domain

Create the new domain with the same configuration:
aws opensearch create-domain \
    --domain-name {{new-domain-name}} \
    --vpc-options SubnetIds={{subnet-ids}},SecurityGroupIds={{security-group-ids}} \

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.2] Elasticsearch domains should not be publicly accessible			1	no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.2] OpenSearch domains should not be publicly accessible			1	no data
💼 Cloudaware Framework → 💼 Network Exposure			137	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	90	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	39	112	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	68	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	12	85	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	88	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			20	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			37	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			90	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		94	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			68	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		85	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		72	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			19	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			185	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			182	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			144	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			196	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			167	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			197	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			129	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	6	66	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			36	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	76	131	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		42	68	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	78	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	8	98	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			19	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			35	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			20	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			37	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	67	no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	30	no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			30	no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			15	no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			30	no data
💼 PCI DSS v3.2.1 → 💼 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.			15	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			67	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67	no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			30	no data
💼 PCI DSS v4.0.1 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		9	67	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			67	no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		9	30	no data
💼 PCI DSS v4.0 → 💼 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.			15	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Impact​

Audit​

Remediation​

Remediation​

OpenSearch Domain Migration: Public to VPC​

Prerequisites​

Migration Steps​

1. Create a Snapshot​

2. Provision VPC Domain​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Impact

Audit

Remediation

Remediation

OpenSearch Domain Migration: Public to VPC

Prerequisites

Migration Steps

1. Create a Snapshot

2. Provision VPC Domain

policy.yaml

Linked Framework Sections