Skip to content

OpenSearch domains internal user database should be disabled

Ensure that AWS OpenSearch domain has internal user database disabled. This control is non-compliant if the OpenSearch domain internal user database is enabled.

How to fix

Attribute advanced_security_options[0].internal_user_database_enabled of aws_opensearch_domain must be false.

Implementation options

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)

If you use terraform-aws-modules/opensearch/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "opensearch" {
  source  = "terraform-aws-modules/opensearch/aws"
  version = ">=2.0.0,<3.0.0"

  cluster_config = {
    instance_count = 1
    instance_type  = "t3.small.search"
  }
  domain_name = "abc123"
  ebs_options = {
    ebs_enabled = true
    volume_size = 64
    volume_type = "gp3"
  }
  engine_version = "OpenSearch_2.11"

  advanced_security_options = {
    internal_user_database_enabled = false
  }
}

Option 2: Terraform AWS provider resources

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_opensearch_domain.

resource "aws_opensearch_domain" "this" {
  cluster_config {
    instance_count         = 3
    instance_type          = "m5.large.search"
    zone_awareness_enabled = true
  }

  cognito_options {
    enabled          = true
    identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
    role_arn         = "arn:aws:iam::123456789012:role/CognitoAccessForAmazonOpenSearch"
    user_pool_id     = "us-east-1_Example"
  }

  domain_name = "pofix-example"

  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:example-log-group"
    log_type                 = "AUDIT_LOGS"
  }
  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:example-log-group"
    log_type                 = "ES_APPLICATION_LOGS"
  }

  vpc_options {
    security_group_ids = ["sg-abc12345"]
    subnet_ids         = [element(["subnet-abc123", "subnet-def456"], 0)]
  }

  advanced_security_options {
    enabled                        = true
    internal_user_database_enabled = false

    master_user_options {
      master_user_name     = "admin"
      master_user_password = "ChangeMe123!"
    }
  }
}
Which option should I choose?
  • Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
  • Open source module (terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready.
  • Terraform AWS provider resources: manage Terraform resources directly.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf (CTF) Control: opensearch_domain_internal_user_database_disabled

  • Powerpipe Control: aws_compliance.control.opensearch_domain_internal_user_database_disabled