Open menu
-->

Elasticsearch Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that all your Elasticsearch Service (ES) clusters are configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly account identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012), AWS account ARNs (e.g. arn:aws:iam::123456789012:root) or IAM user ARNs (e.g. arn:aws:iam::123456789012:user/elasticsearch-manager).

This rule resolution is part of the Cloud Conformity Security Package

Allowing untrustworthy cross account access to your AWS ES clusters can lead to unauthorized actions such as uploading, downloading and deleting documents without permission. To prevent data leaks and data loss, restrict access only to the trusted entities by implementing the appropriate access policies.

Audit

To determine if there are any AWS ES domains (clusters) that allow unknown cross account access, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

01 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

01 Click on the ES domain that you want to examine, e.g.

Click on the ES domain that you want to examine

01 On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

01 On the Modify the access policy for <DOMAIN NAME> page, in the Add or edit the access policy section, identify the AWS account ID/ARN e.g.

AWS account ID/ARN) or IAM user ARN (e.g. IAM user ARN

defined as value(s) for the access policy Principal element.

01 Sign in to your Cloud Conformity console, access the Elasticsearch Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s)/ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the access policy does not match any of the trusted entities listed on your Cloud Conformity console, the cross account access to the selected ES domain (cluster) is not secured.

01 Repeat steps no. 3 - 6 to verify the access policy of other Elasticsearch domains available in the current region for unknown cross account access entities.

01 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Elasticsearch (ES) domains currently available in the selected region:

aws es list-domain-names
	--region us-east-1

02 The command output should return the requested ES domain name(s):

{
    "DomainNames": [
        {
            "DomainName": "cloudconformity-es-cluster"
        },
        {
            "DomainName": "cloudconformity-analytics-cluster"
        }


    ]
}

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the ES domain name returned at the previous step and custom query filters to describe the access policy used by the selected domain:

aws es describe-elasticsearch-domain
	--domain-name cloudconformity-es-cluster
	--region us-east-1
	--query 'DomainStatus.AccessPolicies'

04 The command output should return the ES domain policy document in JSON format:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::422456789134:root"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:
                   domain/cloudconformity-es-cluster/*"
    }
  ]
}

05 Identify the AWS account ID/ARN or IAM user ARN defined as value(s) for the Principal element (highlighted) listed in the access policy returned at the previous step.

06 Sign in to your Cloud Conformity console, open the Elasticsearch Cross Account Access conformity rule settings and compare the identifier(s) verified at step no. 4 (ID(s)/ARN(s)) against each identifier listed within the rule configuration section. If the identifier found within the access policy does not match any of the trusted entities listed on your Cloud Conformity console, the cross account access to the selected ES cluster is not secured.

07 Repeat steps no. 3 - 6 to verify the access policy of other Elasticsearch domains available in the current region for unknown cross account access entities.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To update your Amazon ElasticSearch clusters permissions in order to allow cross account access only from trusted entities, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain that you want to reconfigure (see Audit section part I to identify the right resource).

04 On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

05 On the Modify the access policy for <DOMAIN NAME> page, in the Add or edit the access policy section, replace the existing (untrusted) AWS identifier(s) defined as the Principal element value(s) with the trusted one(s), available on Cloud Conformity console.

06 In the Change your access policy? dialog box, click OK to update the policy.

07 Click Submit to apply the access policy changes.

08 In the Change your access policy dialog box, click OK to confirm the action. The Elasticsearch domain status should change from Active to Processing. The status should return to Active before your modified access policy takes effect.

09 Repeat steps no. 3 - 8 to update the access policy for other AWS ES domains available in the current region in order to block requests from unauthorized cross account entities.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, edit your Elasticsearch domain access policy and replace the untrusted AWS identifier(s) with the trusted one(s) then save the policy in a JSON document (e.g. elasticsearch-cross-account-access-policy.json). You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your custom access policies. The following example contains an ES policy document that allows access to another (friendly) AWS account identified by the ARN arn:aws:iam::516392538123:root:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::516392538123:root"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:
                   domain/cloudconformity-es-cluster/*"
    }
  ]
}

02 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Elasticsearch domain that you want to reconfigure (see Audit section part II to identify the right ES resource) to replace the existing access policy with the one defined at the previous step (i.e. elasticsearch-cross-account-access-policy.json):

aws es update-elasticsearch-domain-config
	--domain-name cloudconformity-es-cluster
	--region us-east-1
	--access-policies file://elasticsearch-cross-account-access-policy.json

03 The command output should return the configuration metadata for the modified Elasticsearch domain (including the new access policy - highlighted):

{
    "DomainConfig": {
        "ElasticsearchClusterConfig": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 9,
                "UpdateDate": 1480673355.278
            },
            "Options": { ... }
        },
        "ElasticsearchVersion": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 9,
                "UpdateDate": 1480673355.278
            },
            "Options": "2.3"
        },


        ...


        "AdvancedOptions": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672421.759,
                "UpdateVersion": 6,
                "UpdateDate": 1480673355.278
            },
            "Options": { ... }
        },
        "AccessPolicies": {
            "Status": {
                "PendingDeletion": false,
                "State": "Processing",
                "CreationDate": 1480672421.759,
                "UpdateVersion": 13,
                "UpdateDate": 1480681479.781
            },
            "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\[\"arn:aws:iam::516392538123:root\"\]},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/cloudconformity-es-cluster/*\"}]}"
        }
    }
}

04 Repeat steps no. 1 - 3 to update the access policies for other AWS ES domains available in the current region in order to block requests from unauthorized cross account entities.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire process for other regions.

References

Publication date Dec 3, 2016