Ensure that all your Elasticsearch Service (ES) clusters are configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly account identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012), AWS account ARNs (e.g. arn:aws:iam::123456789012:root) or IAM user ARNs (e.g. arn:aws:iam::123456789012:user/elasticsearch-manager).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing untrustworthy cross account access to your AWS ES clusters can lead to unauthorized actions such as uploading, downloading and deleting documents without permission. To prevent data leaks and data loss, restrict access only to the trusted entities by implementing the appropriate access policies.
To determine if there are any AWS ES domains (clusters) that allow unknown cross account access, perform the following:
To update your Amazon ElasticSearch clusters permissions in order to allow cross account access only from trusted entities, perform the following: