lacework-global-122

Exposed OpenSearch Domain

Description

OpenSearch policies provide stateful filtering of ingress/egress network traffic to OpenSearch domains. Best practices recommend that a policy does not allow unrestricted ingress to your OpenSearch domain to prevent any unauthorized access.

Lacework reports a violation if it finds an OpenSearch domain that has a security policy with either or both of the following conditions:

• A security policy that allows all AWS Services access to a domain:

  {
  
    "Effect": "Allow",
  
    "Principal": {
  
      "AWS": "*"
  
    }
  
  }

• A security policy that allows all IP addresses access to a domain (0.0.0.0/0), for example:

  {
  
    "Effect": "Allow",
  
    "Action": "es:*",
  
    "Condition": {
  
      "IpAddress": {
  
        "aws:SourceIp": [
  
          "0.0.0.0/0"
  
        ]
  
      }
  
    }
  
  }

Remediation

1. Log in to the AWS Management Console.

2. Click Services.

3. In the service search bar, enter OpenSearch Service.

4. Browse for the violating OpenSearch domain. To find the domain, change to the AWS region that contains the OpenSearch domain, by selecting the region from the drop-down located on the right side of the toolbar.

5. Click the domain.

6. In the Actions drop-down, select the Modify access policy option.

7. In the Add or edit the access policy field, modify the access policy to limit access to specific AWS resources, services, or IP addresses. Lacework recommends utilizing the principle of least privilege by only granting access to the AWS resources, services, or IP addresses that require access to the domain.

8. Repeat these steps for all the domains in the different regions.