Ensure that the access to your Elasticsearch Service (ES) domains is made based on safelisted IP addresses only in order to protect them against unauthorized access. Prior to running this rule by the Cloud Conformity engine, you need to specify the IP addresses that you want to safelist in the rule settings available on the Cloud Conformity console. The IPs must be valid IPv4 addresses (e.g. 54.197.25.93/32), IP address ranges (e.g. 52.71.100.5/24) or CIDR blocks (e.g. 172.31.0.0/16).
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using ES IP-based access policies will allow only specific IP addresses or IP address ranges to access your Elasticsearch domains endpoints, acting as a firewall that prevents incoming anonymous or unauthorized requests from reaching your ES clusters.
Audit
To determine if your Elasticsearch domains are using IP-based access policies, perform the following:
Remediation / Resolution
To implement an IP-based access policy for your Amazon ElasticSearch domains, perform the following:
References
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 3: Configuring an Access Policy for an Amazon ES Domain
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain-config
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Elasticsearch Accessible Only From Safelisted IP Addresses
Risk level: High