Detections
Analytics

Ensure Amazon cognito authentication is enabled for AWS ElasticSearch Domain

MEDIUM

Description

Disabling cognito auth leaves AWS ElasticSearch Domains open to unauthorized access.

Remediation

In AWS Console -

  1. Sign In to the AWS Console and go to the Amazon OpenSearch Service.
  2. Under Domains, select the domain.
  3. Choose Actions, Edit security configuration.
  4. Select Enable Amazon Cognito authentication.
  5. For Region, select the Region that contains your Amazon Cognito user pool and identity pool.
  6. For Cognito user pool, select a user pool or create one.
  7. For Cognito identity pool, select an identity pool or create one.
  8. For IAM role name, use the default value of CognitoAccessForAmazonOpenSearch.
  9. Select Save changes.

In Terraform -

  1. In the aws_elasticsearch_domain resource, set the cognito_options.enabled field to true.
  2. Configure the cognito_options block with appropriate values for identity_pool_id, role_arn, and user_pool_id.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac-walkthrough-iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#cognito_options

Policy Details

Rule Reference ID: AC_AWS_0113
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_elasticsearch_domain
Resource Category: Analytics
Resource Type: ElasticSearch Service

Frameworks