- Knowledge Base
- Amazon Web Services
- Amazon Opensearch Service
- Check for IP-Based Access
Ensure that the access to your Amazon OpenSearch domains is made through approved IP addresses only in order to protect domains against unauthorized access. Before running this rule by the Trend Cloud One™ – Conformity engine, the list with the approved IP addresses/IP ranges must be configured in the rule settings, on your Conformity account console.
Using OpenSearch IP-based access policies will allow only specific IP addresses or IP address ranges to access your Amazon OpenSearch domain endpoints, acting as a firewall that prevents incoming anonymous or unauthorized requests from reaching your OpenSearch domains (clusters).
Audit
To determine if your OpenSearch domains are using IP-based access policies, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
03 In the main navigation panel, under Dashboard, select Domains.
04 Click on the name (link) of the OpenSearch domain that you want to examine.
05 Select the Security configuration tab and check the policy available in the Access policy section. If the policy "Condition" element does not contain a specific IP address, a comma-separated list of IP addresses, or an IP address range, or the policy does not use "Condition" clauses, the selected Amazon OpenSearch domain is not implementing an IP-based access policy.
06 Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:
aws es list-domain-names --region us-east-1 --query 'DomainNames[*].DomainName'
02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:
[ "trendmicro", "cloudconformity" ]
03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected domain:
aws es describe-elasticsearch-domain --region us-east-1 --domain-name trendmicro --query 'DomainStatus.AccessPolicies'
04 The command output should return the access policy document in JSON format:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*" } ] }
If the access policy returned by the describe-elasticsearch-domain command output does not have any IP-based "Condition" clauses, as shown in the example above, or the "Condition" element does not include a specific IP address, a comma-separated list of IP addresses, or an IP address range, the selected Amazon OpenSearch domain is not using an IP-based access policy to filter the incoming requests.
05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.
06 Change the AWS cloud region by updating the **--region** command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To implement an IP-based access policy for your Amazon OpenSearch domains, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Implement IP-Based Access via Domain Policy", "Resources": { "OpenSearchDomain": { "Type":"AWS::OpenSearchService::Domain", "Properties": { "DomainName": "cc-opensearch-domain", "EngineVersion": "OpenSearch_1.1", "ClusterConfig": { "InstanceType": "t3.small.search", "InstanceCount": "2" }, "EBSOptions": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": "50" }, "AccessPolicies": { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.5/32" } } } ] } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Implement IP-Based Access via Domain Policy Resources: OpenSearchDomain: Type: AWS::OpenSearchService::Domain Properties: DomainName: cc-opensearch-domain EngineVersion: OpenSearch_1.1 ClusterConfig: InstanceType: t3.small.search InstanceCount: '2' EBSOptions: EBSEnabled: true VolumeType: gp2 VolumeSize: '50' AccessPolicies: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: '*' Action: es:* Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/* Condition: IpAddress: aws:SourceIp: 10.0.0.5/32
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { region = "us-east-1" } resource "aws_opensearch_domain" "opensearch-domain" { domain_name = "cc-opensearch-domain" engine_version = "OpenSearch_1.1" cluster_config { instance_type = "t3.small.search" instance_count = 2 } ebs_options { ebs_enabled = true volume_size = 50 volume_type = "gp2" } # Implement IP-Based Access via Domain Policy access_policies = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.5/32" } } } ] } POLICY }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
03 In the main navigation panel, under Dashboard, select Domains.
04 Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.
05 In the Access policy section, select the Configure domain level access policy option, choose the Visual editor tab, and perform the following actions:
- To limit the domain access to a specific (trusted) IP address only, select IPv4 address from the Type dropdown list, enter the trusted IPv4 address in the Principal field (e.g. 10.0.0.5/32), and choose Allow from the Action dropdown list.
- To restrict the domain access to specific (trusted) IP ranges only, select IPv4 address from the Type dropdown list, enter the trusted IPv4 address range in the Principal field (e.g. 10.0.15.0/24), and choose Allow from the Action dropdown list.
- Choose Save changes to apply the policy changes.
06 Repeat steps no. 4 and 5 to implement IP-based access for other Amazon OpenSearch domains available within the current AWS region.
07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Redefine the access policy attached to your Amazon OpenSearch domain and save the policy document to a JSON file named ipv4-based-access-policy.json. The following example contains an OpenSearch access policy that allows access to a specific (approved) IPv4 address only (i.e. 10.0.0.5/32), using the "Condition" clause (highlighted):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.5/32" } } } ] }
02 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to replace the existing access policy with the one defined at the previous step (i.e. ipv4-based-access-policy.json):
aws es update-elasticsearch-domain-config --region us-east-1 --domain-name trendmicro --access-policies file://ipv4-based-access-policy.json
03 The command output should return the configuration information available for the modified domain:
{ "DomainConfig": { "ElasticsearchVersion": { "Options": "7.9", "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "ElasticsearchClusterConfig": { "Options": { "InstanceType": "t3.small.elasticsearch", "InstanceCount": 3, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": false, "WarmEnabled": false, "ColdStorageOptions": { "Enabled": false } }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "EBSOptions": { "Options": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": 15 }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "SnapshotOptions": { "Options": { "AutomatedSnapshotStartHour": 0 }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, ... "AccessPolicies": { "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"10.0.0.5/32\"}}}]}", "Status": { "CreationDate": "2022-01-04T11:10:20.249000+00:00", "UpdateDate": "2022-01-04T20:00:08.400000+00:00", "UpdateVersion": 38, "State": "Processing", "PendingDeletion": false } }, "CognitoOptions": { "Options": { "Enabled": false }, "Status": { "CreationDate": "2022-01-03T19:09:03.386000+00:00", "UpdateDate": "2022-01-03T19:09:03.386000+00:00", "UpdateVersion": 9, "State": "Active", "PendingDeletion": false } }, "EncryptionAtRestOptions": { "Options": { "Enabled": false }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T18:01:14.941000+00:00", "UpdateVersion": 5, "State": "Active", "PendingDeletion": false } }, "NodeToNodeEncryptionOptions": { "Options": { "Enabled": true }, "Status": { "CreationDate": "2022-01-03T17:49:09.216000+00:00", "UpdateDate": "2022-01-03T19:09:03.288000+00:00", "UpdateVersion": 9, "State": "Processing", "PendingDeletion": false } } } }
04 Repeat steps no. 1 – 3 to implement IP-based access for other Amazon OpenSearch domains available in the selected AWS region.
05 Change the AWS cloud region by updating the **--region** command parameter value and repeat the Remediation process for other regions.
References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Creating and managing Amazon OpenSearch Service domains
- What is Amazon OpenSearch Service?
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain-config
- CloudFormation Documentation
- Amazon OpenSearch Service resource type reference
- Terraform Documentation
- AWS Provider