Audit and secure your search and log analytics data with Amazon OpenSearch Service

Meet and maintain your security requirements for authentication, authorization, encryption, audit, and regulatory compliance.

Analytics solutions built on large amounts of data are especially susceptible to security risks and breaches. You need a robust security and compliance solution with these capabilities:

  • Confidently host sensitive workloads
  • Protect and limit access to confidential data
  • Integrate with third-party identity providers
  • Secure data at rest and in transit
  • Audit user activity and configuration updates
  • Configure programmatic access for your custom applications and other AWS services

Key security features of OpenSearch

Provide secure access to your users, using authentication and authorization methods of your choice including native SAML support, AWS Cognito, AWS IAM and more. For more information see using SAML with Dashboards and Identity and Access Management.

Protect your data from attackers by enabling encryption of data on disk, log files and automated snapshots using military grade AES-256 AWS Key Management Service (KMS) keys. Encrypt data in transit between nodes using TLS 1.2.

Use one or more access control features such as AWS IAM policies or fine-grained access control to provide users with a controlled and predictable way to query business data, and monitor cluster configuration.

Secure the perimeter to your domain by using AWS identity and resource policies to associate identities and resources to specific allow/deny actions. Create logically isolated networks using a Amazon Virtual Private Cloud (VPC), and Amazon VPC security groups to allow traffic only from known entities.

Monitor configuration changes to your domain, track user activity, and audit requests for data--including detailed connection attributes. Use AWS CloudTrail logging and OpenSearch audit logs to monitor use of configuration APIs and requests to your data.

Protect your data from security vulnerabilities. To minimize the need for version upgrades, OpenSearch Service provides backwards compatible security patches and upgrades for all supported versions of OpenSearch and Elasticsearch.

Secure access to your sensitive or confidential data using advanced security controls. Use index, document or field-level security to limit access to specific indices, documents or fields.

Communicate securely with your OpenSearch domain using Sigv4 signed requests sent using AWS SDKs or use AWS Command Line Interface (CLI).

Meet strict compliance and governance requirements of your organization. Amazon OpenSearch Service is part of several industry standard compliance programs including HIPAA, FedRAMP, DoD CC SRG, SOC, PCI, ISO & CSA STAR, FIPS 140-2.

Collect logs from different sources with different formats, normalize and compare security log data.

Page topics

Security FAQs

Security FAQs

Amazon OpenSearch Service provides multiple security features and is HIPAA eligible and compliant with PCI DSS, SOC, ISO, and FedRamp standards, so that you can meet your security and compliance needs. Access to Amazon OpenSearch Service management APIs for operations such as creating and scaling domains are controlled with AWS Identity and Access Management (IAM) policies.

Amazon OpenSearch Service domains can be configured to be accessible with an endpoint within your VPC or a public endpoint accessible to the internet. Network access for VPC endpoints is controlled with security groups and for public endpoints access can be granted or restricted by IP address.

In addition to network-based access control, Amazon OpenSearch Service provides user authentication via IAM and basic authentication using username and password. Authorization can be granted at the domain level (via Domain Access Policies) as well as at the index, document, and field level (via the fine-grained access control feature powered by OpenSearch). Additionally the fine-grained access control feature extends OpenSearch Dashboards and Kibana with read-only views and secure multi-tenant support.

Amazon OpenSearch Service also supports an integration with Amazon Cognito, to allow your end-users to log-in to OpenSearch Dashboards and Kibana through enterprise identity providers such as Microsoft Active Directory using SAML 2.0, Amazon Cognito User Pools, and more. Once you sign-in, Amazon Cognito establishes a session using the appropriate IAM principal, which provides access to the Amazon OpenSearch Service domain. These IAM principals are then available to be used with the fine-grained access control feature powered by OpenSearch.

Amazon OpenSearch Service security has three main layers: Network, Domain access policies, and fine-grained access control. The first security layer is the network, which determines whether requests reach a domain. We support public access via the internet or VPC access limited to specific security groups in your VPC. The domain access policy is the second security layer. After a request reaches a domain endpoint, the Domain Access Policy allows or denies the request access to a given URL. The Domain Access Policy accepts or rejects requests at the edge of the domain, before they reach OpenSearch/Elasticsearch itself. The third and final security layer is fine-grained access control. After a Domain Access Policy allows a request to reach a domain endpoint, fine-grained access control evaluates the user credentials and either authenticates the user or denies the request. If fine-grained access control authenticates the user, it fetches all roles mapped to that user and uses the complete set of permissions to determine what data the user has access to.

Yes, Amazon OpenSearch Service supports encryption at rest through AWS Key Management Service (KMS), node-to-node encryption over TLS, and the ability to require clients to communicate of HTTPS. Encryption at rest encrypts shards, log files, swap files, and automated S3 snapshots. You can use AWS-managed keys or choose one of your own. Node-to-node encryption enables TLS for all communications between nodes. Amazon OpenSearch Service automatically deploys and rotates certificates throughout the life of the domain. If you require you clients to communicate over HTTPS, you also have the ability to specify the minimum TLS version.

When VPC access is enabled, the endpoint for Amazon OpenSearch Service is only accessible within the customer VPC. To use your laptop to access OpenSearch Dashboards and Kibana from outside the VPC, you need to connect the laptop to the VPC using VPN or VPC Direct Connect.