Use the Conformity Knowledge Base AI to help improve your Cloud Posture

OpenSearch Accessible Only From Safelisted IP Addresses

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ES-006

Ensure that the access to your Amazon OpenSearch domains is made through approved IP addresses only in order to protect domains against unauthorized access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the approved IP addresses/IP ranges must be configured in the rule settings, on your Conformity account console.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using OpenSearch IP-based access policies will allow only specific IP addresses or IP address ranges to access your Amazon OpenSearch domain endpoints, acting as a firewall that prevents incoming anonymous or unauthorized requests from reaching your OpenSearch domains (clusters).


Audit

To determine if your OpenSearch domains are using IP-based access policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3//.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch domain that you want to examine.

05 Select the Security configuration tab and check the policy available in the Access policy section. If the policy "Condition" element does not contain a specific IP address, a comma-separated list of IP addresses, or an IP address range, or the policy does not use "Condition" clauses, the selected Amazon OpenSearch domain is not implementing an IP-based access policy.

06 Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
    "trendmicro",
    "cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.AccessPolicies'

04 The command output should return the access policy document in JSON format:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*"
    }
  ]
}

If the access policy returned by the describe-elasticsearch-domain command output does not have any IP-based "Condition" clauses, as shown in the example above, or the "Condition" element does not include a specific IP address, a comma-separated list of IP addresses, or an IP address range, the selected Amazon OpenSearch domain is not using an IP-based access policy to filter the incoming requests.

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement an IP-based access policy for your Amazon OpenSearch domains, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Implement IP-Based Access via Domain Policy",
	"Resources": {
	"OpenSearchDomain": {
		"Type":"AWS::OpenSearchService::Domain",
		"Properties": {
			"DomainName": "cc-opensearch-domain",
			"EngineVersion": "OpenSearch_1.1",
			"ClusterConfig": {
				"InstanceType": "t3.small.search",
				"InstanceCount": "2"
			},
			"EBSOptions": {
				"EBSEnabled": true,
				"VolumeType": "gp2",
				"VolumeSize": "50"
			},
			"AccessPolicies": {
				"Version":"2012-10-17",
				"Statement": [
				{
					"Effect": "Allow",
					"Principal": {
					"AWS": "*"
					},
					"Action": "es:*",
					"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*",
					"Condition": {
					"IpAddress": {
						"aws:SourceIp": "10.0.0.5/32"
					}
					}
				}
				]
			}
		}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Implement IP-Based Access via Domain Policy
	Resources:
		OpenSearchDomain:
		Type: AWS::OpenSearchService::Domain
		Properties:
			DomainName: cc-opensearch-domain
			EngineVersion: OpenSearch_1.1
			ClusterConfig:
			InstanceType: t3.small.search
			InstanceCount: '2'
			EBSOptions:
			EBSEnabled: true
			VolumeType: gp2
			VolumeSize: '50'
			AccessPolicies:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: '*'
				Action: es:*
				Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*
				Condition:
					IpAddress:
					aws:SourceIp: 10.0.0.5/32

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"
	engine_version = "OpenSearch_1.1"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 2
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 50
		volume_type = "gp2"
	}

	# Implement IP-Based Access via Domain Policy
	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Principal": {
					"AWS": "*"
				},
				"Action": "es:*",
				"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*",
				"Condition": {
					"IpAddress": {
						"aws:SourceIp": "10.0.0.5/32"
					}
				}
			}
		]
	}
	POLICY

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.

05 In the Access policy section, select the Configure domain level access policy option, choose the Visual editor tab, and perform the following actions:

  1. To limit the domain access to a specific (trusted) IP address only, select IPv4 address from the Type dropdown list, enter the trusted IPv4 address in the Principal field (e.g. 10.0.0.5/32), and choose Allow from the Action dropdown list.
  2. To restrict the domain access to specific (trusted) IP ranges only, select IPv4 address from the Type dropdown list, enter the trusted IPv4 address range in the Principal field (e.g. 10.0.15.0/24), and choose Allow from the Action dropdown list.
  3. Choose Save changes to apply the policy changes.

06 Repeat steps no. 4 and 5 to implement IP-based access for other Amazon OpenSearch domains available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Redefine the access policy attached to your Amazon OpenSearch domain and save the policy document to a JSON file named ipv4-based-access-policy.json. The following example contains an OpenSearch access policy that allows access to a specific (approved) IPv4 address only (i.e. 10.0.0.5/32), using the "Condition" clause (highlighted):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.5/32"
        }
      }
    }
  ]
}

02 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to replace the existing access policy with the one defined at the previous step (i.e. ipv4-based-access-policy.json):

aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --access-policies file://ipv4-based-access-policy.json

03 The command output should return the configuration information available for the modified domain:

{
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "t3.small.elasticsearch",
                "InstanceCount": 3,
                "DedicatedMasterEnabled": false,
                "ZoneAwarenessEnabled": false,
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 15
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "AccessPolicies": {
            "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"10.0.0.5/32\"}}}]}",
            "Status": {
                "CreationDate": "2022-01-04T11:10:20.249000+00:00",
                "UpdateDate": "2022-01-04T20:00:08.400000+00:00",
                "UpdateVersion": 38,
                "State": "Processing",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EncryptionAtRestOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "NodeToNodeEncryptionOptions": {
            "Options": {
                "Enabled": true
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.288000+00:00",
                "UpdateVersion": 9,
                "State": "Processing",
                "PendingDeletion": false
            }
        }
    }
}

04 Repeat steps no. 1 – 3 to implement IP-based access for other Amazon OpenSearch domains available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 3, 2017