AWS OpenSearch domain configured to allow public access
Description
AlphaSOC detected that an AWS OpenSearch domain was configured to allow public
access using the CreateDomain or UpdateDomainConfig actions. AWS OpenSearch
domains store search indices, analytics data, dashboards, and configurations.
Public access exposes these resources to anyone on the internet, potentially
bypassing proper authorization controls.
Impact
Allowing public access to an AWS OpenSearch domain can result in data breaches, unauthorized modifications, and service disruption. Adversaries may extract sensitive information, alter data, conduct reconnaissance, or use the domain as an entry point for further attacks.
Severity
| Severity | Condition |
|---|---|
Low | AWS OpenSearch domain configured to allow public access |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user responsible for enabling public access to the AWS OpenSearch domain. Verify whether this configuration was authorized and intentional. If unauthorized, disable public access, rotate any potentially compromised credentials, and investigate for signs of compromise. Consider updating security policies to prevent public access to AWS OpenSearch domains by default.