Add Fine-Grained Access Control support for OpenSearch domain

[rni34]

Description

The AWS Workload Discovery solution currently deploys an OpenSearch domain without fine-grained access control enabled. This causes the domain to be flagged in AWS Trusted Advisor security checks.

Current Security Implementation

The OpenSearch domain currently has:

• ✅ Encryption at rest
• ✅ Node-to-node encryption
• ✅ HTTPS enforcement
• ✅ VPC deployment with security groups
• ✅ IAM-based access policies
• ❌ Fine-grained access control (missing)

Request

Add support for enabling fine-grained access control on the OpenSearch domain to meet security compliance requirements while maintaining the solution's functionality.

Implementation Considerations

• Lambda functions currently authenticate via IAM roles
• Would require Secrets Manager integration for master user credentials
• Need to ensure backward compatibility with existing deployments
• Should be configurable via CloudFormation parameter

Reference

Template: source/cfn/templates/opensearch.template

Use Case

Enterprise customers with strict security compliance requirements need fine-grained access control enabled to pass security audits and Trusted Advisor checks.

[shujacks]

Thanks for raising this, we will look into this and get back to you shortly.

[svozza]

Hi there, thanks for raising the issue. I'm not sure this makes sense for the solution. WD does not have RBAC so all users have the same permissions, which makes fine-grained access not particularly relevant here. Even along the axis of restricting access to indices, we only have one index so again there's not much benefit here.