Ensure permissions are tightly controlled for AWS ElasticSearch Domains

HIGH

Description

AWS ElasticSearchDomain with sensitive permissions may lead to unauthorized access and/or data leak.

Remediation

AWS OpenSearch (formerly ElasticSearch) can be configured to use IAM policies similar to most other Amazon services. To learn more about how to configure IAM policies to use with OpenSearch, see the AWS documentation (below).

In Terraform -

In the aws_elasticsearch_domain resource, set the access_policies field with the IAM policy accordingly.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac-managed.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain

Policy Details

Rule Reference ID: AC_AWS_0119

CSP: AWS

Remediation Available: Yes

Domain: Identity and Access Management

Resource: aws_elasticsearch_domain_policy

Resource Category: Analytics

Resource Type: ElasticSearch Service

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF

Detections