AWS-ES-Internal-User-Database

Severity : Medium

Description: This control ensures that AWS Elasticsearch Service domains does not have build-in user database enabled for for accessing the domains. The build-in user database have username and password configured for users and allows basic HTTP authentication. For best security practice Its recommended to not use basic authentication using internal user database. The ES service should configured fine-grained access control using IAM integration with Amazon cognito authentication.

Remediation Steps:

Perform following to use access policy for ES Service domains:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

Create an IAM role to delegate permission to users

1. Navigate to IAM console in service.

2. In navigation, choose Roles and then choose Create role.

3. Choose the Another AWS account role type.

4. For Account ID, type the AWS account ID to which to grant access to resources.

5.  Select Require external ID, if granting permissions to users from an account not under control and users will assume the role to access programatically.

6. If MFA is required, select Require MFA. 

7. Choose Next: Permissions.

8. Select a policy to use for the permissions policy or choose Create policy.

9. Set permission boundaries and choose Use a permissions boundary to control the maximum role permissions. Select the policy to use for the permissions boundary.

10. Choose Next: Tags.

11. Choose Next: Review.

12. For Role name, type a name for the role.

13.  For Role description, type a description for the new role.

14. Choose Create role.

Create an IAM role to delegate permission to AWS service

1. Navigate to IAM console in service.

2. In navigation, choose Roles and then choose Create role.

3. For Select type of trusted entity, choose AWS service.

4. Choose the service that is allow to assume this role.

5. Choose the use case for your service.

6. Choose Next: Permissions.

7. Select a policy to use for the permissions policy or choose Create policy.

8. Set permission boundaries and choose Use a permissions boundary to control the maximum role permissions. Select the policy to use for the permissions boundary.

9. Choose Next: Tags.

10. Choose Next: Review.

11. For Role name, type a name for the role.

12.  For Role description, type a description for the new role.

13. Choose Create role.

Update the fine-grained access control on the domain

1. In left navigation, select Domains.

2. Select domain reported and choose Actions and Edit security configuration.

3. Edit the access policy JSON to create a resource based access policy with least privilege configuration.

4. Select Enable fine-grained access control.

5. Choose Set IAM ARN as master user and specify the ARN for an IAM role.

6. Select Enable migration period for open/IP-based access policy to enable a transition duration for existing users to required roles.

7. Choose Save changes.

Important:

• Fine-grained access control requires OpenSearch or Elasticsearch 6.7 or later.

Reference:

• https://docs.aws.amazon.com/cli/latest/reference/es/create-elasticsearch-domain.html

• https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service

• https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling

• https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html