Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

OpenSearch Cross Account Access

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ES-005

Ensure that all your Amazon OpenSearch domains are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. Before this rule runs, the list with the trusted AWS account identifiers must be configured in the rule settings, on your TrendAI Vision One™ Cloud Risk Management Dashboard.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

Allowing unknown (unauthorized) AWS accounts to access your Amazon OpenSearch domains can lead to unauthorized actions such as uploading, downloading, and deleting documents without permission. To prevent any unauthorized actions performed on your OpenSearch domains, restrict access only to trusted entities by implementing the appropriate access policies.

Audit

To determine if there are any Amazon OpenSearch domains that allow unknown cross-account access within your AWS account, perform the following actions:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

  3. In the main navigation panel, under Dashboard, select Domains.

  4. On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

  5. Select the Security configuration tab and identify the AWS account ID/ARN or the IAM user ARN defined as value for the "Principal" element(s) within the policy document listed in the Access policy section.

  6. Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access the Unknown Domain Cross-Account Access rule settings, and compare the ARN(s)/ID(s) identified at the previous step against each AWS identity ARN/ID defined in the rule configuration section. If one or more ARNs/IDs are not included in the list of trusted AWS identities defined in the rule settings, the cross-account access configuration defined for the selected Amazon OpenSearch domain is not secure.

  7. Repeat steps no. 4 – 6 for each Amazon OpenSearch domain available within the current AWS region.

  8. Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

  1. Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

    aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

  2. The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

    [
    "trendmicro",
    "example"
]

  3. Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the access policy defined for the selected domain:

    aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.AccessPolicies'

  4. The command output should return the requested access policy document in JSON format:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123412341234:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*"
    }
  ]
}

    Identify the AWS account ID/ARN or the IAM user ARN defined as value for the "Principal" element(s) within the policy document returned by the describe-elasticsearch-domain command output.

  5. Sign into your TrendAI Vision One™ account to access Cloud Risk Management, access the Unknown Domain Cross-Account Access rule settings, and compare the ARN(s)/ID(s) identified at the previous step against each AWS identity ARN/ID defined in the rule configuration section. If one or more ARNs/IDs are not included in the list of trusted AWS identities defined in the rule settings, the cross-account access configuration defined for the selected Amazon OpenSearch domain is not secure.

  6. Repeat steps no. 3 – 5 for each Amazon OpenSearch domain available in the selected AWS region.

  7. Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update your Amazon OpenSearch domain access policy in order to allow cross-account access to trusted AWS identities only, perform the following operations:

Using AWS CloudFormation

  1. CloudFormation template (JSON):

    {
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Allow Cross-Account Access to Trusted AWS Identities Only via Domain Policy",
	"Resources": {
		"OpenSearchDomain": {
			"Type":"AWS::OpenSearchService::Domain",
			"Properties": {
				"DomainName": "cc-opensearch-domain",
				"EngineVersion": "OpenSearch_1.1",
				"ClusterConfig": {
					"InstanceType": "t3.small.search",
					"InstanceCount": "2"
				},
				"EBSOptions": {
					"EBSEnabled": true,
					"VolumeType": "gp2",
					"VolumeSize": "50"
				},
				"AccessPolicies": {
					"Version":"2012-10-17",
					"Statement":[
					{
						"Effect": "Allow",
						"Principal": {
							"AWS": "arn:aws:iam::123412341234:root"
						},
						"Action":"es:*",
						"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
					}
					]
				}
			}
		}
	}
}

  2. CloudFormation template (YAML):

    AWSTemplateFormatVersion: '2010-09-09'
	Description: Allow Cross-Account Access to Trusted AWS Identities Only via Domain Policy
	Resources:
		OpenSearchDomain:
		Type: AWS::OpenSearchService::Domain
		Properties:
			DomainName: cc-opensearch-domain
			EngineVersion: OpenSearch_1.1
			ClusterConfig:
			InstanceType: t3.small.search
			InstanceCount: '2'
			EBSOptions:
			EBSEnabled: true
			VolumeType: gp2
			VolumeSize: '50'
			AccessPolicies:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: arn:aws:iam::123412341234:root
				Action: es:*
				Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

  1. Terraform configuration file (.tf):

    terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"
	engine_version = "OpenSearch_1.1"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 2
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 50
		volume_type = "gp2"
	}

	# Allow Cross-Account Access to Trusted AWS Identities Only via Domain Policy
	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement":[
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::123412341234:root"
			},
			"Action":"es:*",
			"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
		}
		]
	}
	POLICY

}

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

  3. In the main navigation panel, under Dashboard, select Domains.

  4. Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.

  5. In the Access policy section, select the Configure domain level access policy option, choose the Visual editor tab, replace the ARN/ID of the unauthorized principal, available in the Principal box, with the ARN/ID of the trusted principal (trusted AWS entity) defined in the rule settings. Choose Save changes to apply the policy changes.

  6. Repeat steps no. 4 and 5 for each Amazon OpenSearch domain that you want to reconfigure, available within the current AWS region.

  7. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

  1. Modify the access policy attached to your Amazon OpenSearch domain and replace the unknown (untrusted) AWS identities with the trusted ones (as specified in the rule settings), then save the policy document to a JSON file named cross-account-access-policy.json. The following example contains an OpenSearch access policy that allows cross account access to another (trusted) AWS account identified by the ARN "arn:aws:iam::123412341234:root":

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123412341234:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*"
    }
  ]
}

  2. Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to replace the existing access policy with the one modified at the previous step (i.e. cross-account-access-policy.json):

    aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --access-policies file://cross-account-access-policy.json

  3. The command output should return the configuration information available for the modified domain:

    {
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "t3.small.elasticsearch",
                "InstanceCount": 3,
                "DedicatedMasterEnabled": false,
                "ZoneAwarenessEnabled": false,
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 15
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "AccessPolicies": {
            "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123412341234:root\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}",
            "Status": {
                "CreationDate": "2022-01-04T11:10:20.249000+00:00",
                "UpdateDate": "2022-01-04T20:00:08.400000+00:00",
                "UpdateVersion": 38,
                "State": "Processing",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EncryptionAtRestOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "NodeToNodeEncryptionOptions": {
            "Options": {
                "Enabled": true
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.288000+00:00",
                "UpdateVersion": 9,
                "State": "Processing",
                "PendingDeletion": false
            }
        }
    }
}

  4. Repeat steps no. 1 – 3 for each Amazon OpenSearch domain that you want to reconfigure, available in the selected AWS region.

  5. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 3, 2016

Related Elasticsearch rules