AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Fine-Grained Access Control Should Be Enabled OpenSearch Service Domains
More Info:
This rule checks whether Amazon OpenSearch Service domains have fine-grained access control enabled. Fine-grained access control provides enhanced security by allowing more granular control over access to OpenSearch resources. The rule is marked as non-compliant if AdvancedSecurityOptions is not enabled for the OpenSearch Service domain.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of enabling Fine-Grained Access Control on an AWS OpenSearch Service domain, you can follow these steps using the AWS Management Console:
-
Navigate to the Amazon OpenSearch Service Console:
- Go to the AWS Management Console (https://aws.amazon.com/console/).
- In the “Find Services” search bar, type “OpenSearch Service” and click on it to open the OpenSearch Service console.
-
Select the OpenSearch Service Domain:
- In the OpenSearch dashboard, select the domain for which you want to enable Fine-Grained Access Control.
-
Navigate to the Security Tab:
- In the left-hand navigation pane, click on the “Configure access and resource policies” tab under the “Domain” section.
-
Enable Fine-Grained Access Control:
- Under the “Fine-grained access control” section, click on the “Edit” button.
-
Configure Fine-Grained Access Control:
- In the Fine-grained access control configuration, you can define access policies for different resources and actions.
- Enable the Fine-Grained Access Control by toggling the switch to “Enabled”.
- Define the access policies based on your requirements. You can set access policies for specific indices, actions, and IP addresses.
-
Save Changes:
- After configuring the Fine-Grained Access Control policies, click on the “Save changes” button to apply the changes to the OpenSearch Service domain.
-
Verify the Configuration:
- Once the changes are saved, verify that Fine-Grained Access Control is enabled by checking the settings in the Security tab of the OpenSearch Service domain.
By following these steps, you can remediate the misconfiguration of enabling Fine-Grained Access Control on an AWS OpenSearch Service domain using the AWS Management Console.
To remediate the misconfiguration of enabling Fine-Grained Access Control on an AWS OpenSearch Service domain using AWS CLI, follow these steps:
-
Identify the OpenSearch Service Domain: Use the following AWS CLI command to list all the OpenSearch Service domains in your account:
aws opensearchservice list-domain-names -
Update the Access Policy: Once you have identified the domain, you need to update the access policy to enable Fine-Grained Access Control. You can do this by creating a new access policy JSON file or updating the existing one. Here is an example of an access policy that enables Fine-Grained Access Control:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] } -
Update the Access Policy: Use the following AWS CLI command to update the access policy for the OpenSearch Service domain:
aws opensearchservice update-elasticsearch-domain-config --domain-name my-domain --access-policies file://access-policy.json -
Verify the Configuration: Finally, verify that Fine-Grained Access Control has been successfully enabled on the OpenSearch Service domain by checking the domain configuration:
aws opensearchservice describe-elasticsearch-domain-config --domain-name my-domain
By following these steps and updating the access policy for the OpenSearch Service domain, you can remediate the misconfiguration of enabling Fine-Grained Access Control using AWS CLI.
To remediate the misconfiguration of enabling fine-grained access control for AWS OpenSearch Service domains using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
pip install boto3
- Use the following Python script to enable fine-grained access control for your AWS OpenSearch Service domain:
import boto3
# Define the region where your OpenSearch Service domain is located
region = 'your_region'
# Define the name of your OpenSearch Service domain
domain_name = 'your_domain_name'
# Create a boto3 client for OpenSearch Service
client = boto3.client('es', region_name=region)
# Enable fine-grained access control for the specified domain
response = client.update_elasticsearch_domain_config(
DomainName=domain_name,
AccessPolicies={
'Statement': [
{
'Effect': 'Allow',
'Principal': {
'AWS': '*'
},
'Action': 'es:*',
'Resource': 'arn:aws:es:{}:{}:domain/{}'.format(region, 'your_aws_account_id', domain_name)
}
]
}
)
print("Fine-grained access control has been enabled for the OpenSearch Service domain: {}".format(domain_name))
-
Replace the placeholders
your_region,your_domain_name, andyour_aws_account_idwith your actual AWS region, OpenSearch Service domain name, and AWS account ID respectively. -
Run the Python script. After successful execution, fine-grained access control will be enabled for your AWS OpenSearch Service domain.
Please ensure that you have the necessary permissions to modify the OpenSearch Service domain configuration. You may need to run this script with an IAM user or role that has the required permissions.