Logo of Trend Micro

Elasticsearch Accessible Only From Safelisted IP Addresses

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ES-006

Ensure that the access to your Elasticsearch Service (ES) domains is made based on safelisted IP addresses only in order to protect them against unauthorized access. Prior to running this rule by the Cloud Conformity engine, you need to specify the IP addresses that you want to safelist in the rule settings available on the Cloud Conformity console. The IPs must be valid IPv4 addresses (e.g. 54.197.25.93/32), IP address ranges (e.g. 52.71.100.5/24) or CIDR blocks (e.g. 172.31.0.0/16).

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using ES IP-based access policies will allow only specific IP addresses or IP address ranges to access your Elasticsearch domains endpoints, acting as a firewall that prevents incoming anonymous or unauthorized requests from reaching your ES clusters.

Audit

To determine if your Elasticsearch domains are using IP-based access policies, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain that you want to examine, e.g.

Click on the ES domain that you want to examine

04 On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

05 Verify if the access policy's Condition element includes one or more unapproved IP addresses.

06 Repeat steps no. 3 - 5 to determine the access policy type for other Elasticsearch domains available in the current region.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Elasticsearch (ES) domains currently available in the selected region: 

aws es list-domain-names
	--region us-east-1

02 The command output should return the requested ES domain name(s): 

{
    "DomainNames": [
        {
            "DomainName": "cloudconformity-es-cluster"
        },
        {
            "DomainName": "web-analytics-cc-cluster"
        }


    ]
}

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the ES domain name returned at the previous step and custom query filters to describe the access policy used by the selected domain:

aws es describe-elasticsearch-domain
	--domain-name cloudconformity-es-cluster
	--region us-east-1
	--query 'DomainStatus.AccessPolicies'

04 The command output should return the ES domain policy document in JSON format: 

"{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:
                   domain/cloudconformity-es-cluster/*"
    }
  ]
}"

Verify if the access policy's Condition element includes one or more unapproved IP addresses.

05 Repeat steps no. 3 and 4 to determine the access policy type for other Elasticsearch domains available in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To implement an IP-based access policy for your Amazon ElasticSearch domains, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain that you want to reconfigure (see Audit section part I to identify the right resource).

04 On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

05 On the Modify the access policy for <DOMAIN NAME> page, select Allow access to the domain from specific IP(s) and provide one of the following:

  1. A specific IPv4 address, e.g. A specific IPv4 address to limit the domain access to that IP address only.
  2. A comma-separated list of IPv4 addresses, e.g. A comma-separated list of IPv4 addresses to limit the ES domain access to those IP addresses only.
  3. An IPv4 address range (CIDR block), e.g. An IPv4 address range (CIDR block) to limit the domain access only to the IPs available in the specified range.

06 Click OK to update the policy.

07 Click Submit to apply the access policy changes.

08 In the Change your access policy dialog box, click OK to confirm the action. The Elasticsearch domain status should change from Active to Processing. The status should return to Active before your modified access policy takes effect.

09 Repeat steps no. 3 - 8 to update the policies for other AWS ES domains available in the current region in order to implement IP-based access.

10 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, define the necessary access policy for your Elasticsearch domain(s) and save it in a JSON document (e.g. elasticsearch-ip-based-access-policy.json). The following example contains an access policy document that allows access only to a specific IP address, i.e. 52.47.160.25, using the Condition element: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "52.47.160.25/32"
          ]
        }
      },
      "Resource": "arn:aws:es:us-east-1:123456789012:
                   domain/cloudconformity-es-cluster/*"
    }
  ]
}

02 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Elasticsearch domain that you want to reconfigure (see Audit section part II to identify the right ES resource) to replace the existing access policy with the one defined at the previous step (i.e. elasticsearch-ip-based-access-policy.json): 

aws es update-elasticsearch-domain-config
	--domain-name cloudconformity-es-cluster
	--region us-east-1
	--access-policies file:// elasticsearch-ip-based-access-policy.json

03 The command output should return the configuration metadata for the modified Elasticsearch domain (including the new IP-based access policy - highlighted): 

{
    "DomainConfig": {
        "ElasticsearchClusterConfig": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 6,
                "UpdateDate": 1480673260.278
            },
            "Options": { ... }
        },
        "ElasticsearchVersion": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 6,
                "UpdateDate": 1480673260.278
            },
            "Options": "2.3"
        },


        ...


        "AdvancedOptions": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 6,
                "UpdateDate": 1480673260.278
            },
            "Options": { ... }
        },
        "AccessPolicies": {
            "Status": {
                "PendingDeletion": false,
                "State": "Processing",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 13,
                "UpdateDate": 1480681103.781
            },
            "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/cloudconformity-es-cluster/*\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"52.47.160.25/32\"}}}]}"
        }
    }
}

04 Repeat steps no. 1 - 3 to update the policies for other Amazon Elasticsearch domains available in the current region in order to implement IP-based access.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire process for other regions.

References

Publication date Dec 3, 2017

Related Elasticsearch rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Elasticsearch Accessible Only From Safelisted IP Addresses

Risk level: High