Control: Elasticsearch domains should have cognito authentication enabled
Description
AWS Elasticsearch service uses AWS Cognito to offer user name and password protection for Kibana. This control is non-compliant if AWS Cognito authentication is not enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.es_domain_cognito_authentication_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.es_domain_cognito_authentication_enabled --shareSQL
This control uses a named query:
select arn as resource, case when cognito_options ->> 'Enabled' = 'true' then 'ok' else 'alarm' end as status, case when cognito_options ->> 'Enabled' = 'true' then title || ' AWS Cognito authentication for Kibana enabled.' else title || ' AWS Cognito authentication for Kibana disabled.' end as reason , region, account_idfrom aws_elasticsearch_domain;