Amazon OpenSearch Service domain has fine-grained access control enabled
opensearch_service_domains_access_control_enabled
Amazon OpenSearch Service domains are evaluated for fine-grained access control being enabled in advanced-security-options, ensuring role-based authorization at index, document, and field levels for API and Dashboards access.
Risk
Without fine-grained access control, identities may gain overly broad permissions, enabling unauthorized reads or writes across indices and Dashboards. This undermines confidentiality and integrity, facilitates lateral movement, and increases the blast radius of a compromised account.
prowler aws --checks opensearch_service_domains_access_control_enabled
Recommendation
Enable fine-grained access control in advanced-security-options. Define granular, role-based permissions (index/document/field) and map them to federated identities. Apply least privilege, deny-by-default, and separation of duties. Limit public access and regularly review role mappings.
Remediation
aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --advanced-security-options '{"Enabled":true,"MasterUserOptions":{"MasterUserARN":"<MASTER_USER_ARN>"}}'
- In the AWS Console, go to Amazon OpenSearch Service
- Select your domain and choose Edit security configuration
- Enable Fine-grained access control
- Set the master user (choose IAM ARN and enter <MASTER_USER_ARN> or create an internal master user)
- Save changes and wait for the update to complete
Source Code
Resource Type
AwsOpenSearchServiceDomain
References
- https://repost.aws/questions/QUvejSG0WDRByFVMcDchn_5w/how-do-resource-based-access-policies-interact-with-fgac-master-users-in-amazon-opensearch-service
- https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-7
- https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling
- https://ealtili.medium.com/how-to-use-fine-grained-access-control-in-amazon-opensearch-service-4dc86bffd40d