Control: OpenSearch domains should have fine-grained access control enabled
Description
This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-optionsin the OpenSearch parameter update-domain-config to be enabled.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.opensearch_domain_fine_grained_access_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.opensearch_domain_fine_grained_access_enabled --shareSQL
This control uses a named query:
select arn as resource, case when advanced_security_options is null or not (advanced_security_options -> 'Enabled')::boolean then 'alarm' else 'ok' end as status, case when advanced_security_options is null or not (advanced_security_options -> 'Enabled')::boolean then title || ' has fine-grained access control disabled.' else title || ' has fine-grained access control enabled.' end as reason , region, account_idfrom aws_opensearch_domain;