Fine-Grained Access Control Should Be Enabled OpenSearch Service Domains
More Info:
This rule checks whether Amazon OpenSearch Service domains have fine-grained access control enabled. Fine-grained access control provides enhanced security by allowing more granular control over access to OpenSearch resources. The rule is marked as non-compliant if AdvancedSecurityOptions is not enabled for the OpenSearch Service domain.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of enabling Fine-Grained Access Control on an AWS OpenSearch Service domain, you can follow these steps using the AWS Management Console:
-
Navigate to the Amazon OpenSearch Service Console:
- Go to the AWS Management Console (https://aws.amazon.com/console/).
- In the “Find Services” search bar, type “OpenSearch Service” and click on it to open the OpenSearch Service console.
-
Select the OpenSearch Service Domain:
- In the OpenSearch dashboard, select the domain for which you want to enable Fine-Grained Access Control.
-
Navigate to the Security Tab:
- In the left-hand navigation pane, click on the “Configure access and resource policies” tab under the “Domain” section.
-
Enable Fine-Grained Access Control:
- Under the “Fine-grained access control” section, click on the “Edit” button.
-
Configure Fine-Grained Access Control:
- In the Fine-grained access control configuration, you can define access policies for different resources and actions.
- Enable the Fine-Grained Access Control by toggling the switch to “Enabled”.
- Define the access policies based on your requirements. You can set access policies for specific indices, actions, and IP addresses.
-
Save Changes:
- After configuring the Fine-Grained Access Control policies, click on the “Save changes” button to apply the changes to the OpenSearch Service domain.
-
Verify the Configuration:
- Once the changes are saved, verify that Fine-Grained Access Control is enabled by checking the settings in the Security tab of the OpenSearch Service domain.
Using CLI
Using CLI
To remediate the misconfiguration of enabling Fine-Grained Access Control on an AWS OpenSearch Service domain using AWS CLI, follow these steps:
-
Identify the OpenSearch Service Domain: Use the following AWS CLI command to list all the OpenSearch Service domains in your account:
-
Update the Access Policy: Once you have identified the domain, you need to update the access policy to enable Fine-Grained Access Control. You can do this by creating a new access policy JSON file or updating the existing one. Here is an example of an access policy that enables Fine-Grained Access Control:
-
Update the Access Policy: Use the following AWS CLI command to update the access policy for the OpenSearch Service domain:
-
Verify the Configuration: Finally, verify that Fine-Grained Access Control has been successfully enabled on the OpenSearch Service domain by checking the domain configuration:
Using Python
Using Python
To remediate the misconfiguration of enabling fine-grained access control for AWS OpenSearch Service domains using Python, you can follow these steps:
- Install the AWS SDK for Python (Boto3) if you haven’t already. You can install it using pip:
- Use the following Python script to enable fine-grained access control for your AWS OpenSearch Service domain:
-
Replace the placeholders
your_region,your_domain_name, andyour_aws_account_idwith your actual AWS region, OpenSearch Service domain name, and AWS account ID respectively. - Run the Python script. After successful execution, fine-grained access control will be enabled for your AWS OpenSearch Service domain.