Skip to main content


OpenSearch Domain should be in Virtual Private Cloud (VPC) (Automated)


This policy checks for OpenSearch domains that are not in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access.

Ensure that OpenSearch domains are not attached to public subnets. See Resource-based policies in the Amazon OpenSearch Service Developer Guide: Configure VPCs according to the recommended best practices:

OpenSearch domains deployed within a VPC can communicate with VPC resources over the private AWS network, without the need to traverse the public internet. This configuration increases the security posture by limiting access to the data in transit.

VPCs provide a number of network controls to secure access to OpenSearch domains, including network Access Control List (ACL) and security groups. Security Hub recommends migrating public OpenSearch domains to VPCs to take advantage of these controls.


It is not possible to change a domain with a public endpoint to be within a VPC. Instead, create a new domain and migrate the data to the new domain. The reverse is also true. If a domain is within a VPC upon creation, it cannot have a public endpoint.

From the AWS Console:

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Analytics > Amazon OpenSearch Service.
  4. Click Create domain.
  5. Enter a name for the domain.
  6. Under Network > VPC, select a VPC.
  7. Under Fine-grained access control, provide an Identity and Access Management (IAM) Amazon Resource Name (ARN) or create a master user.
  8. Click Create.

For more information on creating OpenSearch domains in a VPC:

From CLI:

Create a new domain, setting the following vpc options:

aws opensearch create-domain --domain-name <domain_name> --vpc-options SubnetIds=<list_of_subnet_ids>,SecurityGroupIds=<list_of_security_group_ids>

Follow up by deleting the violating domain:

aws opensearch delete-domain --domain-name <domain_name>