Identify any publicly accessible AWS Elasticsearch domains and update their access policy in order to stop any unsigned requests made to these resources (ES clusters).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing anonymous access to your ES domains is not recommended and is considered bad practice. To protect your domains against unauthorized access, Amazon ElasticSearch Service provides preconfigured access policies (resource-based, IP-based and IAM user/role-based policies) that you can customize as needed, as well as the ability to import access policies from other AWS ES domains.
Audit
To determine if your Elasticsearch domains are opened to the world, perform the following:
Remediation / Resolution
To block anonymous access to your Amazon ElasticSearch domains, perform the following actions:
References
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 3: Configuring an Access Policy for an Amazon ES Domain
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain-config
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Elasticsearch Domain Exposed
Risk level: High