Audit and secure your search and log analytics data with Amazon OpenSearch Service
Meet and maintain your security requirements for authentication, authorization, encryption, audit, and regulatory compliance.
Analytics solutions built on large amounts of data are especially susceptible to security risks and breaches. You need a robust security and compliance solution with these capabilities:
- Confidently host sensitive workloads
- Protect and limit access to confidential data
- Integrate with third-party identity providers
- Secure data at rest and in transit
- Audit user activity and configuration updates
- Configure programmatic access for your custom applications and other AWS services
Key security features of OpenSearch
Authentication and authorization
Protect your data from attackers by enabling encryption of data on disk, log files and automated snapshots using military grade AES-256 AWS Key Management Service (KMS) keys. Encrypt data in transit between nodes using TLS 1.2.
Granular access control
Use one or more access control features such as AWS IAM policies or fine-grained access control to provide users with a controlled and predictable way to query business data, and monitor cluster configuration.
Access policies and network isolation
Secure the perimeter to your domain by using AWS identity and resource policies to associate identities and resources to specific allow/deny actions. Create logically isolated networks using a Amazon Virtual Private Cloud (VPC), and Amazon VPC security groups to allow traffic only from known entities.
Audit logging and compliance
Monitor configuration changes to your domain, track user activity, and audit requests for data--including detailed connection attributes. Use AWS CloudTrail logging and OpenSearch audit logs to monitor use of configuration APIs and requests to your data.
Security upgrades and patches
Protect your data from security vulnerabilities. To minimize the need for version upgrades, OpenSearch Service provides backwards compatible security patches and upgrades for all supported versions of OpenSearch and Elasticsearch.
Index, document, and field security
Secure access to your sensitive or confidential data using advanced security controls. Use index, document or field-level security to limit access to specific indices, documents or fields.
Secure programmatic access
Communicate securely with your OpenSearch domain using Sigv4 signed requests sent using AWS SDKs or use AWS Command Line Interface (CLI).
Collect logs from different sources with different formats, normalize and compare security log data.
Public roadmap for OpenSearch
AWS Data Lab offers accelerated, joint engineering engagements between customers and AWS technical resources to create tangible deliverables that accelerate data and analytics modernization initiatives.
AWS Data & Analytics Training and Certification to build your skills and validate your expertise.
What is security analytics?
Identify and remediate security threats to your business using security analytics with Amazon OpenSearch Service
by Kevin Fallis and Jimish Shah, 03/14/2023
Field-level security in Amazon OpenSearch Service
by Satyanarayana Adimula, 11/08/2022
Analyze Active Directory Event logs using Amazon OpenSearch
by Pavankumar Kasani, Ashok Srirama, and Rushikesh Jagtap, 07/13/2022
Building SAML federation for Amazon OpenSearch Service with Okta
by Raghavarao Sodabathina, Jana Gnanachandran, and Rudy Collado, on 04/21/2022
How to use AWS Security Hub and Amazon OpenSearch Service for SIEM
by Ely Kahn, Aashmeet Kalra, Grant Joslyn, Akihiro Nakajima, and Anthony Pasquariello, 03/21/2022
Configure SAML single sign-on for Kibana with AD FS on Amazon Elasticsearch Service
by Sajeev Attiyil Bhaskaran and Jagadeesh Pusapadi, on 07/09/2021
Q: How can I secure my Amazon OpenSearch Service domain?
Amazon OpenSearch Service provides multiple security features and is HIPAA eligible and compliant with PCI DSS, SOC, ISO, and FedRamp standards, so that you can meet your security and compliance needs. Access to Amazon OpenSearch Service management APIs for operations such as creating and scaling domains are controlled with AWS Identity and Access Management (IAM) policies.
Amazon OpenSearch Service domains can be configured to be accessible with an endpoint within your VPC or a public endpoint accessible to the internet. Network access for VPC endpoints is controlled with security groups and for public endpoints access can be granted or restricted by IP address.
In addition to network-based access control, Amazon OpenSearch Service provides user authentication via IAM and basic authentication using username and password. Authorization can be granted at the domain level (via Domain Access Policies) as well as at the index, document, and field level (via the fine-grained access control feature powered by OpenSearch). Additionally the fine-grained access control feature extends OpenSearch Dashboards and Kibana with read-only views and secure multi-tenant support.
Amazon OpenSearch Service also supports an integration with Amazon Cognito, to allow your end-users to log-in to OpenSearch Dashboards and Kibana through enterprise identity providers such as Microsoft Active Directory using SAML 2.0, Amazon Cognito User Pools, and more. Once you sign-in, Amazon Cognito establishes a session using the appropriate IAM principal, which provides access to the Amazon OpenSearch Service domain. These IAM principals are then available to be used with the fine-grained access control feature powered by OpenSearch.
Q: How does security authentication and authorization work in Amazon OpenSearch Service?
Amazon OpenSearch Service security has three main layers: Network, Domain access policies, and fine-grained access control. The first security layer is the network, which determines whether requests reach a domain. We support public access via the internet or VPC access limited to specific security groups in your VPC. The domain access policy is the second security layer. After a request reaches a domain endpoint, the Domain Access Policy allows or denies the request access to a given URL. The Domain Access Policy accepts or rejects requests at the edge of the domain, before they reach OpenSearch/Elasticsearch itself. The third and final security layer is fine-grained access control. After a Domain Access Policy allows a request to reach a domain endpoint, fine-grained access control evaluates the user credentials and either authenticates the user or denies the request. If fine-grained access control authenticates the user, it fetches all roles mapped to that user and uses the complete set of permissions to determine what data the user has access to.
Q: Does Amazon OpenSearch Service support encryption?
Yes, Amazon OpenSearch Service supports encryption at rest through AWS Key Management Service (KMS), node-to-node encryption over TLS, and the ability to require clients to communicate of HTTPS. Encryption at rest encrypts shards, log files, swap files, and automated S3 snapshots. You can use AWS-managed keys or choose one of your own. Node-to-node encryption enables TLS for all communications between nodes. Amazon OpenSearch Service automatically deploys and rotates certificates throughout the life of the domain. If you require you clients to communicate over HTTPS, you also have the ability to specify the minimum TLS version.
Q: If I set up VPC access for my Amazon OpenSearch Service domain, how can I access OpenSearch Dashboards and Kibana?
When VPC access is enabled, the endpoint for Amazon OpenSearch Service is only accessible within the customer VPC. To use your laptop to access OpenSearch Dashboards and Kibana from outside the VPC, you need to connect the laptop to the VPC using VPN or VPC Direct Connect.