Question 1

Is advanced_security_options enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-optionsin the OpenSearch parameter update-domain-config to be enabled.

Question 2

Is domain_endpoint_options enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether connections to OpenSearch domains are using HTTPS. The rule is non-compliant if the OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in 'tlsPolicies'.

Question 3

Is encrypt_at_rest enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether AWS OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled.

Question 4

Is log_publishing_options enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether OpenSearch service domains have audit logging enabled. The rule is non-compliant if an OpenSearch service domain does not have audit logging enabled.

Question 5

Is node_to_node_encryption enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks if AWS OpenSearch Service nodes are encrypted end to end. The rule is non-compliant if the node-to-node encryption is not enabled on the domain.

Question 6

Is vpc_options enforced for PCI DSS v4.0?

Accepted Answer

Yes, This control checks whether AWS OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access.

AWS OpenSearch Terraform module

Terraform Module Source