Steps to Reproduce

Summary

The opensearch_service_domains_not_publicly_accessible check incorrectly reports domains as publicly accessible when they have resource-based policies with Principal: "*" but include restrictive Condition elements that limit access to specific IP addresses (not private IP)

Steps to Reproduce

1. Create an OpenSearch domain with the following resource-based policy (should not be privateIP for condition):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "es:*",
      "Resource": "XXX",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "XXX.XXX.XXX.XXX"
        }
      }
    }
  ]
}

2. Run Prowler: prowler aws -c opensearch_service_domains_not_publicly_accessible
3. Observe that the check fails with: "Opensearch domain {domain.name} policy allows access (Principal: '*')"

Root Cause Analysis

While there is existing logic in prowler/providers/aws/services/iam/lib/policy.py#L384 with a function called is_condition_restricting_from_private_ip, this function:
Only checks for private IP addresses - it doesn't recognize that specific public IP addresses should also be considered restrictive

Proposed Solution

Extend the existing condition checking logic to recognize that specific public IP addresses (not just private IPs) also constitute access restrictions - I can create it as a new method for policy if needed

Expected behavior

The check should PASS because the policy contains a condition (aws:SourceIp) that restricts access to a specific IP address, making it not publicly accessible despite having Principal: "*".

Actual Result with Screenshots or Logs

The check FAILS and incorrectly reports the domain as publicly accessible.

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

8. Opensearch

OS used

2. MacOS

Prowler version

prowler 5 latest

Pip version

n/a

Context

No response