Opensearch.2: An OpenSearch domain is reachable from the public internet

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub Opensearch.2 check?

Opensearch.2 fails when a domain has a public endpoint instead of being placed inside a VPC. The control reads the domain's VPCOptions; a domain with no VPC configuration is reachable from the public internet and reports FAILED.

Why does Opensearch.2 matter?

A public OpenSearch endpoint sits one weak access policy away from exposing every index it holds — and those indexes routinely contain logs, support transcripts, or PII that nobody intended to publish. Internet reachability also widens the attack surface to credential-stuffing and unauthenticated-access bugs. Keeping the domain in a VPC means an attacker needs network presence before they can even attempt anything.

How do I fix Opensearch.2?

Inventory public domains by listing each one and checking for absent VPCOptions.
Stand up a replacement domain inside private subnets, because network mode is fixed at creation and cannot be changed in place.
Snapshot the public domain, restore into the VPC domain, repoint clients, then delete the public domain.
Add a Config rule and an SCP so a public domain can never be created again.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is Opensearch.2 a false positive?

Teams expect to toggle the network mode like the encryption settings, but unlike every other OpenSearch control this one has no in-place fix — a public domain stays FAILED until it is migrated to a fresh VPC domain.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for Opensearch controls ↗ Check your own account for Opensearch.2 →

Part of the learning path Tighten your databases

Opensearch.1 OpenSearch domains should encrypt at rest
Opensearch.3 OpenSearch should encrypt node-to-node traffic
Opensearch.4 OpenSearch error logging to CW should be enabled
Opensearch.5 OpenSearch domains should have audit logging
Opensearch.6 OpenSearch domains should have >= 3 data nodes
Opensearch.7 OpenSearch has no fine-grained access control
Opensearch.8 OpenSearch should use latest TLS policy
Opensearch.10 OpenSearch should have latest software update