ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws): enhance metadata for opensearch service (#9383)

Browse Source 
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2026-01-07 10:31:41 +01:00
committed by GitHub
parent f31e230537
commit ced0b8def4
13 changed files with 239 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -32,6 +32,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update AWS SES service metadata to new format [(#9411)](https://github.com/prowler-cloud/prowler/pull/9411)
- Update AWS SSM Incidents service metadata to new format [(#9431)](https://github.com/prowler-cloud/prowler/pull/9431)
- Update AWS WorkSpaces service metadata to new format [(#9483)](https://github.com/prowler-cloud/prowler/pull/9483)
- Update AWS OpenSearch service metadata to new format [(#9383)](https://github.com/prowler-cloud/prowler/pull/9383)
---

37
prowler/providers/aws/services/opensearch/opensearch_service_domains_access_control_enabled/opensearch_service_domains_access_control_enabled.metadata.json
View File

@@ -1,30 +1,41 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_access_control_enabled",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have fine grained access control enabled",
"CheckType": [],
"CheckTitle": "Amazon OpenSearch Service domain has fine-grained access control enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have fine grained access control enabled",
"Risk": "Amazon ES's fine graine access control enhances security by verifying that access to OpenSearch domains is controlled at a granular level, allowing for more precise permissions management and reducing the risk of unauthorised access.",
"RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html",
"Description": "**Amazon OpenSearch Service domains** are evaluated for **fine-grained access control** being enabled in `advanced-security-options`, ensuring role-based authorization at index, document, and field levels for API and Dashboards access.",
"Risk": "Without **fine-grained access control**, identities may gain overly broad permissions, enabling unauthorized reads or writes across indices and Dashboards. This undermines **confidentiality** and **integrity**, facilitates lateral movement, and increases the blast radius of a compromised account.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://repost.aws/questions/QUvejSG0WDRByFVMcDchn_5w/how-do-resource-based-access-policies-interact-with-fgac-master-users-in-amazon-opensearch-service",
"https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-7",
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling",
"https://ealtili.medium.com/how-to-use-fine-grained-access-control-in-amazon-opensearch-service-4dc86bffd40d"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-7",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --advanced-security-options '{\"Enabled\":true,\"MasterUserOptions\":{\"MasterUserARN\":\"<MASTER_USER_ARN>\"}}'",
"NativeIaC": "```yaml\n# CloudFormation: Enable fine-grained access control (FGAC) on an OpenSearch domain\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n AdvancedSecurityOptions:\n Enabled: true # Critical: Turns on FGAC\n MasterUserOptions:\n MasterUserARN: <MASTER_USER_ARN> # Critical: Required to enable FGAC using an IAM principal\n```",
"Other": "1. In the AWS Console, go to Amazon OpenSearch Service\n2. Select your domain and choose Edit security configuration\n3. Enable Fine-grained access control\n4. Set the master user (choose IAM ARN and enter <MASTER_USER_ARN> or create an internal master user)\n5. Save changes and wait for the update to complete",
"Terraform": "```hcl\n# Enable fine-grained access control (FGAC) on an OpenSearch domain\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n advanced_security_options {\n enabled = true # Critical: Turns on FGAC\n master_user_options {\n master_user_arn = \"<MASTER_USER_ARN>\" # Critical: Required to enable FGAC using an IAM principal\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable fine grained access control for your OpenSearch domains",
"Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling"
"Text": "Enable **fine-grained access control** in `advanced-security-options`. Define granular, role-based permissions (index/document/field) and map them to federated identities. Apply **least privilege**, deny-by-default, and **separation of duties**. Limit public access and regularly review role mappings.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_access_control_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

33
prowler/providers/aws/services/opensearch/opensearch_service_domains_audit_logging_enabled/opensearch_service_domains_audit_logging_enabled.metadata.json
View File

@@ -1,35 +1,38 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_audit_logging_enabled",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have audit logging enabled",
"CheckTitle": "Amazon OpenSearch Service domain has audit logging enabled",
"CheckType": [
"Identify",
"Logging"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "low",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have audit logging enabled",
"Risk": "If logs are not enabled, monitoring of service use and threat analysis is not possible.",
"Description": "**Amazon OpenSearch Service domains** have **audit logs** enabled via `AUDIT_LOGS`",
"Risk": "Without audit logs, critical actions lack accountability, reducing **confidentiality** and **integrity**.\n\nUnauthorized access, privilege misuse, and index tampering can go **undetected**, hindering **incident response** and **forensics**, and enabling data exfiltration and lateral movement without traceability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <example_resource_name> --log-publishing-options \"AUDIT_LOGS={CloudWatchLogsLogGroupArn=<CLOUDWATCH_LOG_GROUP_ARN>,Enabled=true}\"",
"NativeIaC": "```yaml\n# CloudFormation: Enable AUDIT_LOGS for an OpenSearch domain\nResources:\n OpenSearchDomain:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n LogPublishingOptions:\n AUDIT_LOGS:\n CloudWatchLogsLogGroupArn: <CLOUDWATCH_LOG_GROUP_ARN> # Critical: where audit logs are sent\n Enabled: true # Critical: turns on AUDIT_LOGS to pass the check\n```",
"Other": "1. Open the AWS console and go to OpenSearch Service\n2. Select the domain <example_resource_name>\n3. Open the Logs tab, find Audit logs, and click Enable\n4. Choose or create a CloudWatch log group and confirm the resource policy if prompted\n5. Click Save changes to enable AUDIT_LOGS\n6. If Fine-grained access control is not enabled, enable it first, then repeat steps 3-5",
"Terraform": "```hcl\n# Enable AUDIT_LOGS for an OpenSearch domain\nresource \"aws_opensearch_domain\" \"example\" {\n domain_name = \"<example_resource_name>\"\n\n log_publishing_options {\n log_type = \"AUDIT_LOGS\"\n cloudwatch_log_group_arn = \"<CLOUDWATCH_LOG_GROUP_ARN>\" # Critical: destination for audit logs\n enabled = true # Critical: turns on AUDIT_LOGS to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Make sure you are logging information about Amazon Elasticsearch Service operations.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html"
"Text": "Enable `AUDIT_LOGS` for all domains and route them to a centralized, durable log store.\n\nTune categories to record auth failures and sensitive index operations. Apply **least privilege** to log access, enforce retention and immutability, and integrate alerts to provide **defense in depth** and timely response.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_audit_logging_enabled"
}
},
"Categories": [
"forensics-ready",
"logging"
"logging",
"forensics-ready"
],
"DependsOn": [],
"RelatedTo": [],

38
prowler/providers/aws/services/opensearch/opensearch_service_domains_cloudwatch_logging_enabled/opensearch_service_domains_cloudwatch_logging_enabled.metadata.json
View File

@@ -1,34 +1,44 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_cloudwatch_logging_enabled",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have logging enabled",
"CheckTitle": "Amazon OpenSearch Service domain publishes search and index slow logs to CloudWatch Logs",
"CheckType": [
"Identify",
"Logging"
"Software and Configuration Checks/AWS Security Best Practices/Runtime Behavior Analysis",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have logging enabled",
"Risk": "Amazon ES exposes four Elasticsearch/Opensearch logs through Amazon CloudWatch Logs: error logs, search slow logs, index slow logs, and audit logs.",
"Description": "**Amazon OpenSearch Service** domains have **slow log publishing** enabled for both **search** and **indexing** operations to CloudWatch Logs (`SEARCH_SLOW_LOGS` and `INDEX_SLOW_LOGS`).",
"Risk": "Without these logs, visibility into **expensive searches** and **slow indexing** is lost, masking hotspots and abuse.\n- Availability: timeouts, throttling, node pressure\n- Integrity: missed or delayed indexing\n- Operations: slower incident response and capacity planning",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html",
"https://support.icompaas.com/support/solutions/articles/62000129471-ensure-amazon-elasticsearch-service-es-domains-have-logging-enabled",
"https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_7",
"https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_7#terraform",
"https://bigdataboutique.com/blog/inspecting-search-slow-logs-on-elasticsearch-and-opensearch-b05d87",
"https://repost.aws/knowledge-center/opensearch-troubleshoot-slow-logs",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/slow-logs.html",
"https://medium.com/heyjobs-tech/how-to-create-an-opensearch-cluster-using-terraform-926b4a62b489",
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html"
],
"Remediation": {
"Code": {
"CLI": "aws logs put-resource-policy --policy-name <POLICY_NAME> --policy-document <POLICY_DOC_JSON>",
"NativeIaC": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_7#cloudformation",
"Other": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_7",
"Terraform": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_7#terraform"
"CLI": "aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --log-publishing-options \"SEARCH_SLOW_LOGS={CloudWatchLogsLogGroupArn=<LOG_GROUP_ARN>,Enabled=true},INDEX_SLOW_LOGS={CloudWatchLogsLogGroupArn=<LOG_GROUP_ARN>,Enabled=true}\"",
"NativeIaC": "```yaml\n# CloudFormation: enable OpenSearch search and index slow logs to CloudWatch\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n LogPublishingOptions:\n SEARCH_SLOW_LOGS:\n CloudWatchLogsLogGroupArn: <LOG_GROUP_ARN>\n Enabled: true # Critical: enables SEARCH_SLOW_LOGS publishing\n INDEX_SLOW_LOGS:\n CloudWatchLogsLogGroupArn: <LOG_GROUP_ARN>\n Enabled: true # Critical: enables INDEX_SLOW_LOGS publishing\n```",
"Other": "1. In the AWS Console, open Amazon OpenSearch Service and select your domain\n2. Go to the Logs tab\n3. For Search slow logs, click Enable, choose or create a CloudWatch log group, accept/attach the suggested resource policy, then Save\n4. For Index slow logs, click Enable, choose or create a CloudWatch log group, accept/attach the suggested resource policy, then Save\n5. Wait for domain status to return to Active",
"Terraform": "```hcl\n# Enable OpenSearch search and index slow logs to CloudWatch\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n # Critical: enables SEARCH_SLOW_LOGS publishing\n log_publishing_options {\n log_type = \"SEARCH_SLOW_LOGS\"\n cloudwatch_log_group_arn = \"<LOG_GROUP_ARN>\"\n enabled = true\n }\n\n # Critical: enables INDEX_SLOW_LOGS publishing\n log_publishing_options {\n log_type = \"INDEX_SLOW_LOGS\"\n cloudwatch_log_group_arn = \"<LOG_GROUP_ARN>\"\n enabled = true\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable Elasticsearch/Opensearch log. Create use cases for them. Using audit logs check for access denied events.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html"
"Text": "Enable both `SEARCH_SLOW_LOGS` and `INDEX_SLOW_LOGS` for all domains and publish to CloudWatch. Set meaningful thresholds and retention, separate log groups, and alert on anomalies. Apply **least privilege** to log access and use **defense in depth** with complementary error and audit logs.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_cloudwatch_logging_enabled"
}
},
"Categories": [
"forensics-ready",
"logging"
],
"DependsOn": [],

32
prowler/providers/aws/services/opensearch/opensearch_service_domains_encryption_at_rest_enabled/opensearch_service_domains_encryption_at_rest_enabled.metadata.json
View File

@@ -1,31 +1,35 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_encryption_at_rest_enabled",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have encryption at-rest enabled",
"CheckTitle": "Amazon OpenSearch Service domain has encryption at rest enabled",
"CheckType": [
"Protect",
"Data protection",
"Encryption of data at rest"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Effects/Data Exposure"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have encryption at-rest enabled",
"Risk": "If not enable unauthorized access to your data could risk increases.",
"Description": "**Amazon OpenSearch Service domains** are evaluated for `encryption at rest` using AWS KMS (`AES-256`) across stored data, including indexes, swap files, and automated snapshots.",
"Risk": "**Unencrypted OpenSearch data** can be read or copied if an attacker gains **disk-level access**, steals **automated snapshots**, or compromises the host. This jeopardizes **confidentiality** and enables tampering with stored indices, affecting **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/encryption-at-rest.html"
],
"Remediation": {
"Code": {
"CLI": "aws es update-elasticsearch-domain-config --domain-name <DOMAIN_NAME> --encryption-at-rest-options Enabled=true,KmsKeyId=<KMS_KEY_ID>",
"NativeIaC": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_3-enable-encryptionatrest#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/encryption-at-rest.html",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --encryption-at-rest-options Enabled=true",
"NativeIaC": "```yaml\n# CloudFormation: Enable encryption at rest for an OpenSearch domain\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n EncryptionAtRestOptions:\n Enabled: true # Critical: turns on encryption at rest for the domain\n```",
"Other": "1. In the AWS Console, go to OpenSearch Service > Domains and select your domain\n2. Click Actions > Edit security configuration\n3. Under Encryption, check Enable encryption of data at rest\n4. Keep the default AWS owned key (or select a KMS key if required)\n5. Click Save changes\n",
"Terraform": "```hcl\n# Terraform: Enable encryption at rest for an OpenSearch domain\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n encrypt_at_rest {\n enabled = true # Critical: turns on encryption at rest for the domain\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable encryption at rest using AWS KMS to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html"
"Text": "Enable `encryption at rest` with AWS KMS, preferably using **customer-managed keys**.\n- Enforce **least privilege** key policies and restrict grants\n- Enable automatic key rotation and monitor KMS usage\n- Encrypt logs and any exported snapshots\n- Apply **defense in depth** with network and IAM controls",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_encryption_at_rest_enabled"
}
},
"Categories": [

33
prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_data_nodes/opensearch_service_domains_fault_tolerant_data_nodes.metadata.json
View File

@@ -1,33 +1,38 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_fault_tolerant_data_nodes",
"CheckTitle": "Ensure Elasticsearch/Opensearch domains have fault-tolerant data nodes.",
"CheckTitle": "OpenSearch domain has at least 3 data nodes and Zone Awareness enabled",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices"
"Software and Configuration Checks/AWS Security Best Practices",
"Effects/Denial of Service"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:es:{region}:{account-id}:domain/{domain-name}",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsElasticsearchDomain",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "This control checks whether Elasticsearch/Opensearch domains are fault-tolerant with at least three data nodes and cross-zone replication (Zone Awareness) enabled.",
"Risk": "Without at least three data nodes and without cross-zone replication (Zone Awareness), the Elasticsearch/Opensearch domain may not be fault-tolerant, leading to a higher risk of data loss or unavailability in case of node failure.",
"RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html",
"Description": "**Amazon OpenSearch domains** are assessed for fault tolerance: **>= 3 data nodes** (`instance_count >= 3`) and **Zone Awareness** (`zone_awareness_enabled = true`) to distribute data across Availability Zones.",
"Risk": "**Insufficient data nodes** or disabled **Zone Awareness** reduces availability and durability. A node or AZ failure can trigger shard unavailability, write failures, or cluster outage, increasing risk of data inconsistency during rebalancing and blocking reads/writes until recovery.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html",
"https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html#es-6"
],
"Remediation": {
"Code": {
"CLI": "aws opensearch update-domain-config --domain-name <domain-name> --cluster-config InstanceCount=3,ZoneAwarenessEnabled=true",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html#es-6",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <example_resource_name> --cluster-config InstanceCount=3,ZoneAwarenessEnabled=true",
"NativeIaC": "```yaml\n# CloudFormation: Ensure at least 3 data nodes and enable Zone Awareness\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n ClusterConfig:\n InstanceType: m5.large.search\n InstanceCount: 3 # Critical: sets at least 3 data nodes for fault tolerance\n ZoneAwarenessEnabled: true # Critical: enables cross-AZ (Zone Awareness)\n```",
"Other": "1. Open the AWS Console and go to Amazon OpenSearch Service\n2. Select your domain and click Edit domain\n3. Under Cluster configuration:\n - Set Number of data nodes to 3 (or more)\n - Enable Zone awareness\n4. Click Submit to apply the changes",
"Terraform": "```hcl\n# Terraform: Ensure at least 3 data nodes and enable Zone Awareness\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n cluster_config {\n instance_type = \"m5.large.search\"\n instance_count = 3 # Critical: sets at least 3 data nodes for fault tolerance\n zone_awareness_enabled = true # Critical: enables cross-AZ (Zone Awareness)\n }\n}\n```"
},
"Recommendation": {
"Text": "Modify the Elasticsearch/Opensearch domain to ensure at least three data nodes and enable cross-zone replication (Zone Awareness) for high availability and fault tolerance.",
"Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-multiaz.html"
"Text": "Configure OpenSearch with **>= 3 data nodes** and enable **Zone Awareness** to spread nodes across AZs.\n\n- Prefer Multi-AZ with Standby for resilient failover\n- Use node counts in multiples of three and set index replicas (`>= 1`)\n- Practice capacity planning and failure testing as **defense in depth**",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_fault_tolerant_data_nodes"
}
},
"Categories": [
"redundancy"
"resilience"
],
"DependsOn": [],
"RelatedTo": [],

33
prowler/providers/aws/services/opensearch/opensearch_service_domains_fault_tolerant_master_nodes/opensearch_service_domains_fault_tolerant_master_nodes.metadata.json
View File

@@ -1,31 +1,38 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_fault_tolerant_master_nodes",
"CheckTitle": "OpenSearch Service Domain should have at least three dedicated master nodes",
"CheckType": [],
"CheckTitle": "OpenSearch domain has at least 3 dedicated master nodes",
"CheckType": [
"Software and Configuration Checks/AWS Security Best Practices",
"Effects/Denial of Service"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:es:region:account-id:domain/resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "OpenSearch Service uses dedicated master nodes to increase cluster stability. A minimum of three dedicated master nodes is recommended to ensure high availability.",
"Risk": "If a master node fails, the cluster may become unavailable.",
"RelatedUrl": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html#dedicatedmasternodes-number",
"Description": "**Amazon OpenSearch domains** have **dedicated master nodes** enabled with a master node count of at least `3` to support stable cluster coordination and elections",
"Risk": "With fewer than `3` or disabled **dedicated master nodes**, the cluster can lose **quorum**, blocking leader election.\n\nEffects include stalled cluster state updates, failed reads/writes, shard allocation issues, and possible split-brain, reducing **availability** and **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-11",
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html#dedicatedmasternodes-number"
],
"Remediation": {
"Code": {
"CLI": "aws es update-elasticsearch-domain-config --region <region> --domain-name <name> --elasticsearch-cluster-config DedicatedMasterEnabled=true,DedicatedMasterType='<instance_type>',DedicatedMasterCount=3",
"NativeIaC": "",
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/opensearch-controls.html#opensearch-11",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <name> --cluster-config \"DedicatedMasterEnabled=true,DedicatedMasterType=<instance_type>,DedicatedMasterCount=3\"",
"NativeIaC": "```yaml\n# CloudFormation: set at least 3 dedicated master nodes\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n ClusterConfig:\n DedicatedMasterEnabled: true # Critical: enable dedicated master nodes\n DedicatedMasterCount: 3 # Critical: ensure minimum of 3 masters\n DedicatedMasterType: \"<instance_type>\" # Critical: required when enabling masters\n```",
"Other": "1. Sign in to the AWS Console and open Amazon OpenSearch Service\n2. Select your domain and choose Edit\n3. In Cluster configuration:\n - Enable Dedicated master nodes\n - Set Dedicated master node count to 3\n - Select a Dedicated master instance type\n4. Choose Save changes",
"Terraform": "```hcl\n# Terraform: set at least 3 dedicated master nodes\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n cluster_config {\n dedicated_master_enabled = true # Critical: enable dedicated masters\n dedicated_master_count = 3 # Critical: ensure minimum of 3 masters\n dedicated_master_type = \"<instance_type>\" # Critical: required when enabling masters\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure that your OpenSearch Service domain has at least three dedicated master nodes",
"Url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-dedicatedmasternodes.html#dedicatedmasternodes-number"
"Text": "Enable **dedicated master nodes** and set the count to at least `3` (use an odd number) to maintain **quorum**. Use *Multi-AZ with standby* to distribute masters across zones. Right-size master instances and monitor cluster health to uphold high availability and resilience.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_fault_tolerant_master_nodes"
}
},
"Categories": [
"redundancy"
"resilience"
],
"DependsOn": [],
"RelatedTo": [],

32
prowler/providers/aws/services/opensearch/opensearch_service_domains_https_communications_enforced/opensearch_service_domains_https_communications_enforced.metadata.json
View File

@@ -1,31 +1,35 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_https_communications_enforced",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have enforce HTTPS enabled",
"CheckTitle": "OpenSearch domain has HTTPS enforcement enabled",
"CheckType": [
"Protect",
"Data protection",
"Encryption of data in transit"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have enforce HTTPS enabled",
"Risk": "If not enable unauthorized access to your data could risk increases.",
"Description": "Amazon OpenSearch Service domains with **HTTPS enforcement** require encrypted connections. This assessment identifies domains missing `Require HTTPS for all traffic`, indicating that unencrypted HTTP is accepted.",
"Risk": "Allowing HTTP exposes queries, credentials, and results in cleartext, enabling interception and session hijacking. Adversaries can alter requests or responses, compromising **confidentiality** and **integrity**, and harvest auth data for **lateral movement**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_6#fix---builtime",
"Other": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_6#aws-console",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <example_resource_name> --domain-endpoint-options EnforceHTTPS=true",
"NativeIaC": "```yaml\n# CloudFormation - Enable HTTPS enforcement on an OpenSearch domain\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainEndpointOptions:\n EnforceHTTPS: true # Critical: requires all traffic to use HTTPS, fixing the finding\n```",
"Other": "1. Open the Amazon OpenSearch Service console\n2. Go to Domains and select your domain\n3. Click Actions > Edit security configuration\n4. Check \"Require HTTPS for all traffic to the domain\"\n5. Click Save changes",
"Terraform": "```hcl\n# Enable HTTPS enforcement on an OpenSearch domain\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n domain_endpoint_options {\n enforce_https = true # Critical: requires HTTPS for all requests\n }\n}\n```"
},
"Recommendation": {
"Text": "When creating ES Domains, enable 'Require HTTPS fo all traffic to the domain'",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html"
"Text": "Enable `Require HTTPS for all traffic` on every domain to enforce TLS. Prefer strong protocols (TLS 1.2+), and block HTTP via network controls for defense in depth. Apply **least privilege** access policies and use private connectivity to minimize exposure and downgrade risks.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_https_communications_enforced"
}
},
"Categories": [

31
prowler/providers/aws/services/opensearch/opensearch_service_domains_internal_user_database_enabled/opensearch_service_domains_internal_user_database_enabled.metadata.json
View File

@@ -1,33 +1,38 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_internal_user_database_enabled",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have internal user database enabled",
"CheckTitle": "Amazon OpenSearch Service domain has internal user database disabled",
"CheckType": [
"Protect",
"Data protection"
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have internal user database enabled",
"Risk": "Internal User Database is convenient for demos, for production environment use Federated authentication.",
"Description": "**Amazon OpenSearch Service domains** are evaluated for the **internal user database** setting (`InternalUserDatabaseEnabled`). The finding identifies domains that rely on built-in HTTP basic users instead of external identity providers.",
"Risk": "An enabled internal user database creates **credential sprawl** and weak **account lifecycle**. Missing centralized MFA, rotation, and revocation raises unauthorized access risk, impacting **confidentiality** and **integrity**.\n\nBasic auth on exposed endpoints eases brute force and reduces **auditability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html",
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <example_resource_name> --advanced-security-options '{\"InternalUserDatabaseEnabled\":false}'",
"NativeIaC": "```yaml\n# CloudFormation: disable internal user database for the domain\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n AdvancedSecurityOptions:\n InternalUserDatabaseEnabled: false # Critical: disables internal user DB to pass the check\n```",
"Other": "1. In AWS console, go to Amazon OpenSearch Service > Domains\n2. Select the domain and choose Edit security configuration\n3. Under Fine-grained access control, turn off Internal user database\n4. Click Save changes",
"Terraform": "```hcl\n# Terraform: disable internal user database for the domain\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n advanced_security_options {\n internal_user_database_enabled = false # Critical: disables internal user DB to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Remove users from internal user database and uso Cognito instead.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html"
"Text": "Prefer **federated authentication** (IAM, SAML, or Amazon Cognito) and disable the **internal user database**. Enforce **least privilege** roles, require **MFA**, centralize credential rotation and offboarding, and log access. Use **VPC access** and restrictive policies; avoid HTTP basic auth to minimize exposure.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_internal_user_database_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/opensearch/opensearch_service_domains_node_to_node_encryption_enabled/opensearch_service_domains_node_to_node_encryption_enabled.metadata.json
View File

@@ -1,31 +1,38 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_node_to_node_encryption_enabled",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have node-to-node encryption enabled",
"CheckTitle": "Amazon OpenSearch Service domain has node-to-node encryption enabled",
"CheckType": [
"Protect",
"Data protection",
"Encryption of data in transit"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST CSF Controls (USA)",
"Software and Configuration Checks/Industry and Regulatory Standards/NIST 800-53 Controls (USA)",
"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "medium",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have node-to-node encryption enabled",
"Risk": "Node-to-node encryption provides an additional layer of security on top of the default features of Amazon ES. This architecture prevents potential attackers from intercepting traffic between Elasticsearch nodes and keeps the cluster secure.",
"Description": "**Amazon OpenSearch domains** with **node-to-node encryption** use TLS to protect traffic between cluster nodes. The finding evaluates the domain's `node_to_node_encryption` configuration for intra-cluster communications.",
"Risk": "Unencrypted intra-cluster traffic enables interception and manipulation by anyone with network foothold.\n- **Confidentiality**: exposure of documents, credentials, metadata\n- **Integrity**: tampering with queries and shard replication\n- **Availability**: spoofing/MITM can disrupt coordination and cause outages",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html",
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ntn.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/node-to-node-encryption.html"
],
"Remediation": {
"Code": {
"CLI": "aws es update-elasticsearch-domain-config --domain-name <DOMAIN_NAME> --node-to-node-encryption-options Enabled=true",
"NativeIaC": "https://docs.prowler.com/checks/aws/elasticsearch-policies/elasticsearch_5#cloudformation",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/node-to-node-encryption.html",
"Terraform": ""
"CLI": "aws opensearchservice update-domain-config --domain-name <DOMAIN_NAME> --node-to-node-encryption-options Enabled=true",
"NativeIaC": "```yaml\n# CloudFormation: Enable node-to-node encryption for an OpenSearch domain\nResources:\n OpenSearchDomain:\n Type: AWS::OpenSearchService::Domain\n Properties:\n NodeToNodeEncryptionOptions:\n Enabled: true # Critical: enables TLS between nodes to pass the check\n```",
"Other": "1. In the AWS Console, go to OpenSearch Service > Domains\n2. Select the target domain\n3. Click Edit (or Actions > Edit security configuration)\n4. Under Encryption, enable Node-to-node encryption\n5. Click Save changes",
"Terraform": "```hcl\n# Terraform: Enable node-to-node encryption for an OpenSearch domain\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n node_to_node_encryption {\n enabled = true # Critical: encrypts intra-cluster traffic to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "Node-to-node encryption on new domains requires Elasticsearch 6.0 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later. Choose the existing domain in the AWS console, Actions, and Modify encryption.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html"
"Text": "Enable **node-to-node encryption** (`node_to_node_encryption: true`) to enforce TLS for inter-node traffic. Apply **defense in depth**: require HTTPS for clients, restrict network exposure, and use least privilege. Validate performance in staging and plan carefully, as the setting is effectively irreversible.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_node_to_node_encryption_enabled"
}
},
"Categories": [

29
prowler/providers/aws/services/opensearch/opensearch_service_domains_not_publicly_accessible/opensearch_service_domains_not_publicly_accessible.metadata.json
View File

@@ -1,29 +1,36 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_not_publicly_accessible",
"CheckTitle": "Check if Amazon Opensearch/Elasticsearch domains are publicly accessible",
"CheckTitle": "Amazon OpenSearch Service domain is not publicly accessible",
"CheckType": [
"Effects/Data Exposure"
"Software and Configuration Checks/AWS Security Best Practices/Network Reachability",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"Effects/Data Exposure",
"TTPs/Initial Access"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"ResourceIdTemplate": "",
"Severity": "critical",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Opensearch/Elasticsearch domains are publicly accessible via their access policies.",
"Risk": "Publicly accessible services could expose sensitive data to bad actors.",
"Description": "**Amazon OpenSearch domains** are assessed for **public exposure** via their resource-based access policies. Domains inside a VPC are treated as **privately reachable**; domains with overly permissive policies that allow broad, unauthenticated access are identified as **publicly accessible**.",
"Risk": "Public exposure lets anyone query, index, or delete data, impacting **confidentiality** (record disclosure), **integrity** (unauthorized writes, index tampering), and **availability** (disruption, deletion). Attackers can harvest sensitive logs/PII, alter analytics, or wipe indices, enabling lateral movement and operational outage.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/domain-exposed.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/domain-exposed.html",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --access-policies '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::<ACCOUNT_ID>:root\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:<REGION>:<ACCOUNT_ID>:domain/<DOMAIN_NAME>/*\"}]}'",
"NativeIaC": "```yaml\n# CloudFormation: restrict OpenSearch access policy to your account only\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n AccessPolicies: # critical: restricts access to your account only, removing public access\n Version: '2012-10-17'\n Statement:\n - Effect: Allow\n Principal:\n AWS: arn:aws:iam::<ACCOUNT_ID>:root # critical: only this account can access\n Action: es:*\n Resource: arn:aws:es:<REGION>:<ACCOUNT_ID>:domain/<example_resource_name>/*\n```",
"Other": "1. In the AWS console, open Amazon OpenSearch Service and select your domain\n2. Go to Security configuration > Edit\n3. Choose Access policy > JSON\n4. Replace the policy with the following (use your values) and Save changes:\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::<ACCOUNT_ID>:root\"},\n \"Action\": \"es:*\",\n \"Resource\": \"arn:aws:es:<REGION>:<ACCOUNT_ID>:domain/<DOMAIN_NAME>/*\"\n }\n ]\n}\n```\n5. Verify the domain endpoint is no longer accessible publicly except by your account's IAM principals",
"Terraform": "```hcl\n# Restrict OpenSearch access policy to your account only\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n # critical: limits access to the owning account, removing public access\n access_policies = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = { AWS = \"arn:aws:iam::<ACCOUNT_ID>:root\" }\n Action = \"es:*\"\n Resource = \"arn:aws:es:<REGION>:<ACCOUNT_ID>:domain/<example_resource_name>/*\"\n }]\n })\n}\n```"
},
"Recommendation": {
"Text": "Modify the access policy attached to your Amazon OpenSearch domain and replace the 'Principal' element value (i.e. '*') with the ARN of the trusted AWS account. You can also add a Condition clause to the policy statement to limit the domain access to a specific (trusted) IP address/IP range only.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html"
"Text": "Apply **least privilege** and **defense in depth**:\n- Place domains in a **VPC** and restrict reachability with security groups\n- Use narrow resource policies; avoid `Principal:\"*\"`\n- Require authenticated access (fine-grained controls); *if unavoidable*, limit public endpoints by IP and roles\n- Monitor access with logs and alerts",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_not_publicly_accessible"
}
},
"Categories": [

31
prowler/providers/aws/services/opensearch/opensearch_service_domains_updated_to_the_latest_service_software_version/opensearch_service_domains_updated_to_the_latest_service_software_version.metadata.json
View File

@@ -1,33 +1,40 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_updated_to_the_latest_service_software_version",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains have updates available",
"CheckTitle": "Amazon OpenSearch Service domain is updated to the latest service software version",
"CheckType": [
"Detect",
"Vulnerability, patch, and version management"
"Software and Configuration Checks/Patch Management",
"Software and Configuration Checks/AWS Security Best Practices"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "low",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains have updates available",
"Risk": "Amazon ES regularly releases system software updates that add features or otherwise improve your domains.",
"Description": "**OpenSearch Service domains** are assessed for pending **service software updates**. This focuses on internal platform updates, distinct from engine version upgrades.",
"Risk": "**Missing service software updates** can leave known flaws unpatched, threatening data confidentiality and index integrity.\n\nRequired updates missed may lead to AWS isolating the domain, causing **outages** and, if prolonged, **permanent deletion**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/service-software.html",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/version.html",
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html"
],
"Remediation": {
"Code": {
"CLI": "aws es upgrade-elasticsearch-domain --domain-name <DOMAIN_NAME> --target-version <TARGET_VERSION> --perform-check-only",
"CLI": "aws opensearch start-service-software-update --domain-name <DOMAIN_NAME>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Elasticsearch/version.html",
"Other": "1. Sign in to the AWS Console and open Amazon OpenSearch Service\n2. Select the target domain\n3. Click Actions > Update\n4. Choose Apply update now\n5. Click Confirm to start the service software update",
"Terraform": ""
},
"Recommendation": {
"Text": "The Notifications panel in the console is the easiest way to see if an update is available or check the status of an update. You can also receive these notifications through Amazon EventBridge. If you take no action on required updates, Amazon ES still updates your domain service software automatically after a certain timeframe (typically two weeks). In this situation, Amazon ES sends notifications when it starts the update and when the update is complete.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html"
"Text": "Apply the latest **service software updates** promptly. Schedule updates during the domain's **off-peak window** or enable automatic updates. Monitor console or **EventBridge** notifications, and test changes in staging to support **defense in depth** while minimizing downtime.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_updated_to_the_latest_service_software_version"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/aws/services/opensearch/opensearch_service_domains_use_cognito_authentication_for_kibana/opensearch_service_domains_use_cognito_authentication_for_kibana.metadata.json
View File

@@ -1,33 +1,40 @@
{
"Provider": "aws",
"CheckID": "opensearch_service_domains_use_cognito_authentication_for_kibana",
"CheckTitle": "Check if Amazon Elasticsearch/Opensearch Service domains has either Amazon Cognito or SAML authentication for Kibana enabled",
"CheckTitle": "Amazon OpenSearch Service domain has either Amazon Cognito or SAML authentication enabled for Kibana",
"CheckType": [
"Identify",
"Logging"
"Software and Configuration Checks/AWS Security Best Practices",
"Software and Configuration Checks/Industry and Regulatory Standards/AWS Foundational Security Best Practices",
"TTPs/Initial Access/Unauthorized Access",
"Effects/Data Exposure"
],
"ServiceName": "opensearch",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "high",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "AwsOpenSearchServiceDomain",
"ResourceGroup": "database",
"Description": "Check if Amazon Elasticsearch/Opensearch Service domains has Amazon Cognito or SAML authentication for Kibana enabled",
"Risk": "Not enabling Amazon Cognito or SAML authentication for Kibana in AWS Elasticsearch/OpenSearch Service domains increases the likelihood of unauthorized access to sensitive data, potentially compromising system integrity.",
"Description": "**OpenSearch Service domains** use **Amazon Cognito** or **SAML** to authenticate access to Kibana/OpenSearch Dashboards.\n\nThe evaluation identifies domains where either provider is enabled for Dashboards access.",
"Risk": "Without **federated authentication**, Dashboards can be reached using weak or shared credentials or broad IP rules, enabling unauthorized queries and admin actions. This threatens:\n- **Confidentiality**: data exposure\n- **Integrity**: index changes or deletion\n- **Availability**: heavy queries degrading the cluster",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "aws opensearch update-domain-config --domain-name <DOMAIN_NAME> --cognito-options Enabled=true,UserPoolId=<USER_POOL_ID>,IdentityPoolId=<IDENTITY_POOL_ID>,RoleArn=<ROLE_ARN>",
"NativeIaC": "```yaml\n# Enable Amazon Cognito authentication for OpenSearch Dashboards\nResources:\n <example_resource_name>:\n Type: AWS::OpenSearchService::Domain\n Properties:\n DomainName: <example_resource_name>\n CognitoOptions:\n Enabled: true # Critical: Enables Cognito auth for Dashboards to pass the check\n UserPoolId: <USER_POOL_ID>\n IdentityPoolId: <IDENTITY_POOL_ID>\n RoleArn: <ROLE_ARN>\n```",
"Other": "1. In the AWS console, go to **OpenSearch Service** > **Domains** and select your domain\n2. Click **Edit**\n3. Under **OpenSearch Dashboards authentication**, choose **Amazon Cognito** and enable it\n4. Enter the **User pool ID**, **Identity pool ID**, and **IAM role** for Cognito\n5. Click **Save changes** and wait for the domain update to complete",
"Terraform": "```hcl\n# Enable Amazon Cognito authentication for OpenSearch Dashboards\nresource \"aws_opensearch_domain\" \"<example_resource_name>\" {\n domain_name = \"<example_resource_name>\"\n\n cognito_options {\n enabled = true # Critical: Enables Cognito auth for Dashboards to pass the check\n user_pool_id = \"<USER_POOL_ID>\"\n identity_pool_id = \"<IDENTITY_POOL_ID>\"\n role_arn = \"<ROLE_ARN>\"\n }\n}\n```"
},
"Recommendation": {
"Text": "If you do not configure Amazon Cognito or SAML authentication, you can still protect Kibana using an IP-based access policy and a proxy server or HTTP basic authentication.",
"Url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html"
"Text": "Enable **Cognito** or **SAML** for Dashboards and apply **least privilege** with fine-grained access control. Prefer **SSO with MFA**, avoid shared/basic credentials, and restrict access via **VPC/private endpoints** and network controls. Monitor with audit logs and enforce **separation of duties**.",
"Url": "https://hub.prowler.com/check/opensearch_service_domains_use_cognito_authentication_for_kibana"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""