Ensure that your Amazon Elasticsearch (ES) domains (clusters) are accessible only from AWS VPCs for better flexibility and control over the clusters access and security as this feature lets you keep all traffic between your VPC and Elasticsearch domains within the AWS network instead of going over the public Internet.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
AWS Elasticsearch domains that reside within a VPC have an extra layer of security when compared to ES domains that use public endpoints. Launching an Amazon ES cluster within an AWS VPC enables secure communication between the ES cluster (domain) and other AWS services without the need for an Internet Gateway, a NAT device or a VPN connection and all traffic remains secure within the AWS Cloud.
To determine the access endpoint configuration for your existing Elasticsearch domains, perform the following:
To migrate your AWS Elasticsearch domains from public access to VPC access (recommended), you must unload the existing data from the domain (cluster) to Amazon S3 then upload this data in a new ES cluster, launched within a Virtual Private Cloud. To relaunch and configure your Elasticsearch cluster(s) within an AWS VPC, perform the following actions: