Disable OpenSearch Internal User Database
Overview
This check verifies that Amazon OpenSearch Service domains have their internal user database disabled. When disabled, users must authenticate through external identity providers such as IAM, SAML, or Amazon Cognito instead of using built-in username/password credentials.
Risk
An enabled internal user database creates several security concerns:
- Credential sprawl: Local usernames and passwords are harder to manage centrally
- Weak account lifecycle: No automatic credential rotation or expiration
- No MFA support: Basic authentication cannot enforce multi-factor authentication
- Brute-force vulnerability: Username/password endpoints are susceptible to automated attacks
- Limited auditing: Harder to track who accessed what and when
Using federated authentication through IAM, SAML, or Cognito provides centralized credential management, MFA enforcement, and better audit trails.
Remediation Steps
Prerequisites
- AWS account access with permissions to modify OpenSearch domains
- An alternative authentication method configured (IAM role, SAML provider, or Cognito user pool)
Important: Before disabling the internal user database, ensure you have configured an alternative authentication method. Otherwise, you may lose access to your OpenSearch domain.
AWS Console Method
- Open the Amazon OpenSearch Service console
- In the left navigation, click Domains
- Click on the domain name you want to modify
- Click Actions > Edit security configuration
- Under Fine-grained access control, locate the Internal user database setting
- Uncheck or disable Enable internal user database
- Under Set IAM ARN as master user, specify an IAM role ARN that will have full access to the cluster
- Click Save changes
Note: The domain will enter a processing state while the configuration is applied. This may take several minutes.
AWS CLI (optional)
Disable Internal User Database
First, verify the current configuration:
aws opensearch describe-domain \
--domain-name <your-domain-name> \
--region us-east-1 \
--query 'DomainStatus.AdvancedSecurityOptions'
Then disable the internal user database:
aws opensearch update-domain-config \
--domain-name <your-domain-name> \
--region us-east-1 \
--advanced-security-options '{
"InternalUserDatabaseEnabled": false,
"MasterUserOptions": {
"MasterUserARN": "arn:aws:iam::<account-id>:role/<master-user-role>"
}
}'
Replace:
<your-domain-name>with your OpenSearch domain name<account-id>with your AWS account ID<master-user-role>with the IAM role that will have master user access
Check Update Status
Monitor the domain status until processing completes:
aws opensearch describe-domain \
--domain-name <your-domain-name> \
--region us-east-1 \
--query 'DomainStatus.Processing'
CloudFormation (optional)
CloudFormation Template
This template creates an OpenSearch domain with the internal user database disabled and IAM-based master user authentication:
AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with internal user database disabled
Parameters:
DomainName:
Type: String
Description: Name for the OpenSearch domain
MinLength: 3
MaxLength: 28
AllowedPattern: '[a-z][a-z0-9\-]+'
Resources:
OpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: !Ref DomainName
EngineVersion: OpenSearch_2.11
ClusterConfig:
InstanceType: t3.small.search
InstanceCount: 1
EBSOptions:
EBSEnabled: true
VolumeType: gp3
VolumeSize: 10
NodeToNodeEncryptionOptions:
Enabled: true
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
AdvancedSecurityOptions:
Enabled: true
InternalUserDatabaseEnabled: false
MasterUserOptions:
MasterUserARN: !Sub 'arn:aws:iam::${AWS::AccountId}:role/OpenSearchMasterUserRole'
Outputs:
DomainEndpoint:
Description: OpenSearch domain endpoint
Value: !GetAtt OpenSearchDomain.DomainEndpoint
DomainArn:
Description: OpenSearch domain ARN
Value: !GetAtt OpenSearchDomain.Arn
Key Configuration
The critical settings are in AdvancedSecurityOptions:
AdvancedSecurityOptions:
Enabled: true
InternalUserDatabaseEnabled: false # This disables local username/password auth
MasterUserOptions:
MasterUserARN: <iam-role-arn> # IAM role for master user access
Deploy the Stack
aws cloudformation deploy \
--template-file template.yaml \
--stack-name opensearch-secure-domain \
--parameter-overrides DomainName=my-secure-domain \
--region us-east-1
Terraform (optional)
Terraform Configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "domain_name" {
description = "Name of the OpenSearch domain"
type = string
}
variable "master_user_arn" {
description = "ARN of the IAM role for the master user"
type = string
}
resource "aws_opensearch_domain" "main" {
domain_name = var.domain_name
engine_version = "OpenSearch_2.11"
cluster_config {
instance_type = "t3.small.search"
instance_count = 1
}
ebs_options {
ebs_enabled = true
volume_type = "gp3"
volume_size = 10
}
encrypt_at_rest {
enabled = true
}
node_to_node_encryption {
enabled = true
}
domain_endpoint_options {
enforce_https = true
}
advanced_security_options {
enabled = true
internal_user_database_enabled = false
master_user_options {
master_user_arn = var.master_user_arn
}
}
}
output "domain_endpoint" {
description = "OpenSearch domain endpoint"
value = aws_opensearch_domain.main.endpoint
}
output "domain_arn" {
description = "OpenSearch domain ARN"
value = aws_opensearch_domain.main.arn
}
Key Configuration
The critical setting is internal_user_database_enabled = false within the advanced_security_options block:
advanced_security_options {
enabled = true
internal_user_database_enabled = false # Disables local username/password auth
master_user_options {
master_user_arn = var.master_user_arn # IAM role for master user access
}
}
Apply the Configuration
terraform init
terraform plan -var="domain_name=my-secure-domain" -var="master_user_arn=arn:aws:iam::123456789012:role/OpenSearchMasterRole"
terraform apply -var="domain_name=my-secure-domain" -var="master_user_arn=arn:aws:iam::123456789012:role/OpenSearchMasterRole"
Verification
After making changes, verify the internal user database is disabled:
- Open the Amazon OpenSearch Service console
- Click on your domain name
- Go to the Security configuration tab
- Under Fine-grained access control, confirm that Internal user database shows as disabled
CLI Verification
aws opensearch describe-domain \
--domain-name <your-domain-name> \
--region us-east-1 \
--query 'DomainStatus.AdvancedSecurityOptions.InternalUserDatabaseEnabled'
This should return false.
Additional Resources
- Fine-grained access control in Amazon OpenSearch Service
- SAML authentication for OpenSearch Dashboards
- Amazon Cognito authentication for OpenSearch Dashboards
- IAM identity center authentication
Notes
- Plan ahead: Before disabling the internal user database, ensure you have configured an alternative authentication method (IAM, SAML, or Cognito). Failing to do so may lock you out of the domain.
- Domain processing time: Configuration changes can take 15-30 minutes to apply. The domain will show a "Processing" status during this time.
- Existing users: Any internal users created previously will no longer be able to authenticate after this change.
- Master user requirement: Fine-grained access control requires a master user. When disabling the internal database, you must specify an IAM role ARN as the master user.
- SAML/Cognito option: For non-IAM users, consider setting up SAML federation or Amazon Cognito to provide centralized authentication with MFA support.