Amazon OpenSearch Service domain has either Amazon Cognito or SAML authentication enabled for Kibana
opensearch_service_domains_use_cognito_authentication_for_kibana
OpenSearch Service domains use Amazon Cognito or SAML to authenticate access to Kibana/OpenSearch Dashboards.
The evaluation identifies domains where either provider is enabled for Dashboards access.
Risk
Without federated authentication, Dashboards can be reached using weak or shared credentials or broad IP rules, enabling unauthorized queries and admin actions. This threatens:
- Confidentiality: data exposure
- Integrity: index changes or deletion
- Availability: heavy queries degrading the cluster
prowler aws --checks opensearch_service_domains_use_cognito_authentication_for_kibana
Recommendation
Enable Cognito or SAML for Dashboards and apply least privilege with fine-grained access control. Prefer SSO with MFA, avoid shared/basic credentials, and restrict access via VPC/private endpoints and network controls. Monitor with audit logs and enforce separation of duties.
Remediation
aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --cognito-options Enabled=true,UserPoolId=<USER_POOL_ID>,IdentityPoolId=<IDENTITY_POOL_ID>,RoleArn=<ROLE_ARN>
- In the AWS console, go to OpenSearch Service > Domains and select your domain
- Click Edit
- Under OpenSearch Dashboards authentication, choose Amazon Cognito and enable it
- Enter the User pool ID, Identity pool ID, and IAM role for Cognito
- Click Save changes and wait for the domain update to complete
Source Code
Resource Type
AwsOpenSearchServiceDomain