Skip to main content

OpenSearch Domains Should Use Cognito or SAML Authentication for Dashboards

Overview

This check verifies that Amazon OpenSearch Service domains have federated authentication enabled for OpenSearch Dashboards (formerly Kibana) access. Federated authentication through Amazon Cognito or SAML providers ensures that only authorized users can access your dashboards using centralized identity management.

Risk

Without federated authentication, your OpenSearch Dashboards may be vulnerable to:

  • Unauthorized access: Weak or shared credentials can be guessed or leaked
  • Data exposure: Sensitive data in your indexes could be viewed by unauthorized parties
  • Data tampering: Malicious actors could modify or delete your indexes
  • Performance degradation: Unrestricted access may lead to resource-intensive queries affecting availability

Federated authentication provides centralized user management, supports multi-factor authentication (MFA), and enables audit logging of user access.

Remediation Steps

Prerequisites

  • An AWS account with permissions to modify OpenSearch domains
  • An existing Amazon Cognito User Pool and Identity Pool (or you can create them during setup)
  • An IAM role that allows OpenSearch to use Cognito
Setting up Cognito prerequisites

If you do not already have Cognito resources, you will need:

  1. Cognito User Pool: Stores user identities and handles authentication
  2. Cognito Identity Pool: Provides temporary AWS credentials to authenticated users
  3. IAM Role: Allows OpenSearch Service to configure Cognito resources

Create these resources before proceeding, or use the CloudFormation/Terraform templates below which can create them for you.

AWS Console Method

  1. Sign in to the AWS Management Console and open the Amazon OpenSearch Service console

  2. In the left navigation pane, choose Domains

  3. Select the domain you want to configure

  4. Choose the Security configuration tab

  5. Click Edit

  6. Under Authentication for OpenSearch Dashboards/Kibana, select Enable Amazon Cognito authentication

  7. Configure the Cognito settings:

    • Cognito User Pool: Select your existing user pool or create a new one
    • Cognito Identity Pool: Select your existing identity pool or create a new one
    • IAM Role: Select the IAM role that grants OpenSearch permission to configure Cognito

  8. Click Save changes

  9. Wait for the domain status to change from "Processing" to "Active" (this may take 15-30 minutes)

AWS CLI (optional)

First, verify your current domain configuration:

aws opensearch describe-domain \
    --domain-name <your-domain-name> \
    --region us-east-1 \
    --query 'DomainStatus.CognitoOptions'

Enable Cognito authentication on an existing domain:

aws opensearch update-domain-config \
    --domain-name <your-domain-name> \
    --region us-east-1 \
    --cognito-options \
        Enabled=true,\
UserPoolId=<your-user-pool-id>,\
IdentityPoolId=<your-identity-pool-id>,\
RoleArn=arn:aws:iam::<account-id>:role/<cognito-role-name>

Replace the placeholders:

  • <your-domain-name>: Your OpenSearch domain name
  • <your-user-pool-id>: Cognito User Pool ID (format: us-east-1_xxxxxxxxx)
  • <your-identity-pool-id>: Cognito Identity Pool ID (format: us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
  • <account-id>: Your AWS account ID
  • <cognito-role-name>: The IAM role name for Cognito

Monitor the update progress:

aws opensearch describe-domain \
    --domain-name <your-domain-name> \
    --region us-east-1 \
    --query 'DomainStatus.Processing'

The domain is ready when this returns false.

CloudFormation (optional)

This template creates an OpenSearch domain with Cognito authentication enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with Cognito authentication for dashboards

Parameters:
  DomainName:
    Type: String
    Description: Name of the OpenSearch domain
    AllowedPattern: '[a-z][a-z0-9\-]+'
    MinLength: 3
    MaxLength: 28

  UserPoolId:
    Type: String
    Description: Amazon Cognito User Pool ID

  IdentityPoolId:
    Type: String
    Description: Amazon Cognito Identity Pool ID

  CognitoRoleArn:
    Type: String
    Description: IAM Role ARN for Cognito authentication

Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: !Ref DomainName
      EngineVersion: OpenSearch_2.11
      ClusterConfig:
        InstanceType: t3.small.search
        InstanceCount: 1
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp3
        VolumeSize: 10
      CognitoOptions:
        Enabled: true
        UserPoolId: !Ref UserPoolId
        IdentityPoolId: !Ref IdentityPoolId
        RoleArn: !Ref CognitoRoleArn
      EncryptionAtRestOptions:
        Enabled: true
      NodeToNodeEncryptionOptions:
        Enabled: true
      DomainEndpointOptions:
        EnforceHTTPS: true
        TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
      AccessPolicies:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: '*'
            Action: 'es:*'
            Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*'
            Condition:
              IpAddress:
                aws:SourceIp:
                  - '10.0.0.0/8'

Outputs:
  DomainEndpoint:
    Description: OpenSearch domain endpoint
    Value: !GetAtt OpenSearchDomain.DomainEndpoint

  DashboardsURL:
    Description: OpenSearch Dashboards URL
    Value: !Sub 'https://${OpenSearchDomain.DomainEndpoint}/_dashboards'

Deploy the stack:

aws cloudformation create-stack \
    --stack-name opensearch-cognito-auth \
    --template-body file://template.yaml \
    --parameters \
        ParameterKey=DomainName,ParameterValue=<your-domain-name> \
        ParameterKey=UserPoolId,ParameterValue=<your-user-pool-id> \
        ParameterKey=IdentityPoolId,ParameterValue=<your-identity-pool-id> \
        ParameterKey=CognitoRoleArn,ParameterValue=<your-cognito-role-arn> \
    --region us-east-1
Terraform (optional)
terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

variable "domain_name" {
  description = "Name of the OpenSearch domain"
  type        = string
}

variable "user_pool_id" {
  description = "Amazon Cognito User Pool ID"
  type        = string
}

variable "identity_pool_id" {
  description = "Amazon Cognito Identity Pool ID"
  type        = string
}

variable "cognito_role_arn" {
  description = "IAM Role ARN for Cognito authentication"
  type        = string
}

resource "aws_opensearch_domain" "main" {
  domain_name    = var.domain_name
  engine_version = "OpenSearch_2.11"

  cluster_config {
    instance_type  = "t3.small.search"
    instance_count = 1
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "gp3"
    volume_size = 10
  }

  cognito_options {
    enabled          = true
    user_pool_id     = var.user_pool_id
    identity_pool_id = var.identity_pool_id
    role_arn         = var.cognito_role_arn
  }

  encrypt_at_rest {
    enabled = true
  }

  node_to_node_encryption {
    enabled = true
  }

  domain_endpoint_options {
    enforce_https       = true
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }

  tags = {
    Environment = "production"
  }
}

output "domain_endpoint" {
  description = "OpenSearch domain endpoint"
  value       = aws_opensearch_domain.main.endpoint
}

output "dashboards_url" {
  description = "OpenSearch Dashboards URL"
  value       = "https://${aws_opensearch_domain.main.endpoint}/_dashboards"
}

Apply the configuration:

terraform init
terraform plan -var="domain_name=<your-domain>" \
               -var="user_pool_id=<your-user-pool-id>" \
               -var="identity_pool_id=<your-identity-pool-id>" \
               -var="cognito_role_arn=<your-role-arn>"
terraform apply

Verification

After enabling Cognito authentication:

  1. Open the OpenSearch Service console and select your domain
  2. On the Security configuration tab, confirm that Amazon Cognito authentication shows as Enabled
  3. Navigate to your OpenSearch Dashboards URL (shown in the domain details)
  4. You should be redirected to a Cognito login page instead of seeing an open dashboard
CLI verification
aws opensearch describe-domain \
    --domain-name <your-domain-name> \
    --region us-east-1 \
    --query 'DomainStatus.CognitoOptions'

Expected output when properly configured:

{
    "Enabled": true,
    "UserPoolId": "us-east-1_xxxxxxxxx",
    "IdentityPoolId": "us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "RoleArn": "arn:aws:iam::123456789012:role/CognitoAccessForAmazonOpenSearch"
}

Additional Resources

Notes

  • Update time: Enabling Cognito authentication triggers a domain update that can take 15-30 minutes to complete
  • SAML alternative: If you prefer SAML over Cognito, you can configure SAML authentication instead. Both provide federated authentication
  • Fine-grained access control: Consider enabling fine-grained access control in addition to Cognito for role-based permissions within OpenSearch
  • Existing users: After enabling Cognito, users must log in through the Cognito-hosted UI or your custom authentication flow
  • VPC domains: For VPC-based domains, ensure your Cognito resources are accessible from the VPC or configure appropriate networking