Elasticsearch domains should have internal user database enabled¶
Ensure Elasticsearch domains have internal user database enabled. This control is non-compliant if a domain's internal user database is not enabled.
How to fix¶
Attribute advanced_security_options[0].internal_user_database_enabled of aws_elasticsearch_domain must be true.
Implementation options¶
Choose the option that matches how you manage Terraform. All options satisfy this control.
Option 1: Terraform AWS provider resources¶
If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_elasticsearch_domain.
resource "aws_elasticsearch_domain" "this" {
cognito_options {
enabled = true
identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
role_arn = "arn:aws:iam::123456789012:role/CognitoAccessForAmazonES"
user_pool_id = "us-east-1_Example"
}
domain_name = "pofix-example"
log_publishing_options {
cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/domains/example"
log_type = "AUDIT_LOGS"
}
vpc_options {
subnet_ids = ["subnet-12345abc"]
}
advanced_security_options {
enabled = true
internal_user_database_enabled = true
master_user_options {
master_user_name = "admin"
master_user_password = "ChangeMe123!"
}
}
}
Which option should I choose?
- Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
- Open source module (
terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready. - Terraform AWS provider resources: manage Terraform resources directly.
Tool mappings¶
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf (CTF) Control:
es_domain_internal_user_database_enabledPowerpipe Control:
aws_compliance.control.es_domain_internal_user_database_enabled