Enable Fine-Grained Access Control for Amazon OpenSearch Service Domains

Overview

This check verifies that your Amazon OpenSearch Service domains have fine-grained access control (FGAC) enabled. Fine-grained access control lets you control who can access your data at the index, document, and field level, giving you much more precise control than domain-level policies alone.

Risk

Without fine-grained access control:

• Users may gain broader access to your data than intended
• You cannot restrict access to specific indices, documents, or fields
• A compromised account could access all data across your domain
• Compliance requirements for data segregation may not be met
• Audit trails for data access are less detailed

Severity: High

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify OpenSearch domains
• An IAM user or role ARN to act as the master user (administrator), OR credentials for creating an internal user

Important: Enabling fine-grained access control on an existing domain requires a blue/green deployment, which can take several hours. Plan accordingly.

AWS Console Method

1. Open the Amazon OpenSearch Service console
2. Click on the domain name you want to update
3. Click the Security configuration tab
4. Click Edit
5. Under Fine-grained access control, check Enable fine-grained access control
6. Choose your master user type:
   • IAM ARN (recommended): Enter the ARN of an IAM user or role
   • Internal user database: Create a username and password
7. Click Save changes
8. Wait for the domain status to return to Active (this may take 1-2 hours)

AWS CLI (optional)

Enable with IAM Master User

aws opensearch update-domain-config \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --advanced-security-options '{
    "Enabled": true,
    "InternalUserDatabaseEnabled": false,
    "MasterUserOptions": {
      "MasterUserARN": "arn:aws:iam::<account-id>:role/<role-name>"
    }
  }'

Enable with Internal User Database

aws opensearch update-domain-config \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --advanced-security-options '{
    "Enabled": true,
    "InternalUserDatabaseEnabled": true,
    "MasterUserOptions": {
      "MasterUserName": "admin",
      "MasterUserPassword": "<secure-password>"
    }
  }'

Replace:

• <your-domain-name> with your OpenSearch domain name
• <account-id> with your AWS account ID
• <role-name> with your IAM role name
• <secure-password> with a strong password (min 8 characters, must include uppercase, lowercase, number, and special character)

CloudFormation (optional)

AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with fine-grained access control enabled

Parameters:
  DomainName:
    Type: String
    Description: Name of the OpenSearch domain
    Default: my-opensearch-domain
  MasterUserArn:
    Type: String
    Description: ARN of the IAM user or role to use as the master user

Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: !Ref DomainName
      EngineVersion: OpenSearch_2.11
      ClusterConfig:
        InstanceType: r6g.large.search
        InstanceCount: 2
        DedicatedMasterEnabled: true
        DedicatedMasterType: r6g.large.search
        DedicatedMasterCount: 3
        ZoneAwarenessEnabled: true
        ZoneAwarenessConfig:
          AvailabilityZoneCount: 2
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp3
        VolumeSize: 100
      NodeToNodeEncryptionOptions:
        Enabled: true
      EncryptionAtRestOptions:
        Enabled: true
      DomainEndpointOptions:
        EnforceHTTPS: true
        TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
      AdvancedSecurityOptions:
        Enabled: true
        InternalUserDatabaseEnabled: false
        MasterUserOptions:
          MasterUserARN: !Ref MasterUserArn
      AccessPolicies:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Ref MasterUserArn
            Action: es:*
            Resource: !Sub arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*

Outputs:
  DomainEndpoint:
    Description: OpenSearch domain endpoint
    Value: !GetAtt OpenSearchDomain.DomainEndpoint
  DomainArn:
    Description: OpenSearch domain ARN
    Value: !GetAtt OpenSearchDomain.Arn

Note: Fine-grained access control requires:

• NodeToNodeEncryptionOptions.Enabled: true
• EncryptionAtRestOptions.Enabled: true
• DomainEndpointOptions.EnforceHTTPS: true

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "domain_name" {
  description = "Name of the OpenSearch domain"
  type        = string
  default     = "my-opensearch-domain"
}

variable "master_user_arn" {
  description = "ARN of the IAM user or role to use as the master user"
  type        = string
}

resource "aws_opensearch_domain" "main" {
  domain_name    = var.domain_name
  engine_version = "OpenSearch_2.11"

  cluster_config {
    instance_type            = "r6g.large.search"
    instance_count           = 2
    dedicated_master_enabled = true
    dedicated_master_type    = "r6g.large.search"
    dedicated_master_count   = 3
    zone_awareness_enabled   = true
    zone_awareness_config {
      availability_zone_count = 2
    }
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "gp3"
    volume_size = 100
  }

  encrypt_at_rest {
    enabled = true
  }

  node_to_node_encryption {
    enabled = true
  }

  domain_endpoint_options {
    enforce_https       = true
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }

  advanced_security_options {
    enabled                        = true
    internal_user_database_enabled = false
    master_user_options {
      master_user_arn = var.master_user_arn
    }
  }
}

output "domain_endpoint" {
  description = "OpenSearch domain endpoint"
  value       = aws_opensearch_domain.main.endpoint
}

output "domain_arn" {
  description = "OpenSearch domain ARN"
  value       = aws_opensearch_domain.main.arn
}

Note: Fine-grained access control requires encryption at rest, node-to-node encryption, and HTTPS enforcement to be enabled.

Verification

After the domain update completes:

1. Open the Amazon OpenSearch Service console
2. Click on your domain name
3. Click the Security configuration tab
4. Confirm that Fine-grained access control shows Enabled

CLI verification (optional)

aws opensearch describe-domain \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --query 'DomainStatus.AdvancedSecurityOptions.Enabled'

This should return true.

Additional Resources

• Fine-grained access control in Amazon OpenSearch Service
• Tutorial: IAM master user and Amazon Cognito
• Creating and managing users in the internal user database
• Prowler Check Documentation

Notes

• Enabling FGAC on existing domains: Causes a blue/green deployment that can take several hours. Schedule during a maintenance window.
• Prerequisites: FGAC requires encryption at rest, node-to-node encryption, and HTTPS enforcement. The console will prompt you to enable these if they are not already active.
• Master user choice: Using an IAM ARN is recommended for production environments as it integrates with your existing IAM policies and allows for centralized identity management.
• Role mappings: After enabling FGAC, you must create role mappings in OpenSearch Dashboards to grant users access to specific indices and operations.
• Anonymous access: FGAC disables anonymous access by default. All requests must be authenticated.
• Compliance frameworks: This control maps to AWS Foundational Security Best Practices, C5, and PCI requirements.