Logo of Trend Micro

Elasticsearch Domain Exposed

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: ES-003

Identify any publicly accessible AWS Elasticsearch domains and update their access policy in order to stop any unsigned requests made to these resources (ES clusters).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Allowing anonymous access to your ES domains is not recommended and is considered bad practice. To protect your domains against unauthorized access, Amazon ElasticSearch Service provides preconfigured access policies (resource-based, IP-based and IAM user/role-based policies) that you can customize as needed, as well as the ability to import access policies from other AWS ES domains.

Audit

To determine if your Elasticsearch domains are opened to the world, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain that you want to examine, e.g.

Click on the ES domain that you want to examine

04 On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

05 On the Modify the access policy for <DOMAIN NAME> page, in the Add or edit the access policy section, verify the policy document defined for the selected domain. If the Principal element does not promote an AWS resource (ARN), e.g. "Principal": { "AWS": "*" } and the policy is not using any IP-based Condition clauses to filter the access, e.g. https://goo.gl/FE0a8m, the selected AWS ES domain is exposed to everyone on the Internet.

06 Repeat steps no. 3 - 5 to determine if other Elasticsearch domains available in the current region are publicly accessible.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Elasticsearch (ES) domains currently available in the selected region: 

aws es list-domain-names
	--region us-east-1

02 The command output should return the requested ES domain name(s): 

{
    "DomainNames": [
        {
            "DomainName": "cloudconformity-es-cluster"
        },
        {
            "DomainName": "cc-analytics-es-cluster"
        }


    ]
}

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the ES domain name returned at the previous step and custom query filters to describe the access policy currently used by the selected domain (cluster): 

aws es describe-elasticsearch-domain
	--domain-name cloudconformity-es-cluster
	--region us-east-1
	--query 'DomainStatus.AccessPolicies'

04 The command output should return the ES domain policy document in JSON format: 

"{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "*"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:
                   domain/cloudconformity-es-cluster/*"
    }
  ]
}"

If the "Principal" element value is set to { "AWS": "*" } and the element is not using any Condition clauses to filter the access, as shown in the example above, the selected AWS ES domain is publicly accessible, therefore any machine on the Internet can access the endpoint of the domain and use your Elasticsearch cluster.

05 Repeat steps no. 3 and 4 to determine if other Elasticsearch domains available in the current region are opened to public access.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To block anonymous access to your Amazon ElasticSearch domains, perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the publicly accessible ES domain that you want to reconfigure (see Audit section part I to identify the right resource).

04 On the selected domain description page, click the Modify access policy button from the dashboard top menu to access the domain policy.

05 On the Modify the access policy for <DOMAIN NAME> page, select one of the policy templates from the Set the domain access policy to dropdown list:

  1. Select Allow or deny access to one or more AWS accounts or IAM users and provide the necessary AWS account ID/ARN or IAM user ARN to limit the ES domain access to an AWS account or IAM user only: Allow or deny access to one or more AWS accounts or IAM users.
  2. Select Allow access to the domain from specific IP(s) and provide an IP address (or more IP addresses, separated by comma) to limit the ES domain access to that IP address only: Allow access to the domain from specific IP(s).
  3. Select Copy an access policy from another domain and choose another ES domain name to copy its access policy: Copy an access policy from another domain.
  4. Select Deny access to the domain to block entirely the access to the selected ES domain: Deny access to the domain.

06 Click Submit to apply the access policy changes.

07 In the Change your access policy dialog box, click OK to confirm the action. The ES domain status should change from Active to Processing. The status should return to Active before your modified access policy takes effect.

08 Repeat steps no. 3 - 7 to update the policies for other Elasticsearch domains available in the current region in order to block anonymous access.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 First, define the necessary access policy for your Elasticsearch domain(s) and save it in a JSON document (e.g. es-ip-based-access-policy.json). You can build your own (custom) resource-based, IP-based and IAM user/role-based policies using the templates provided by AWS Elasticsearch service. The following example contains an access policy document that grants domain access only to a specific IP, i.e. 54.197.25.93, using the Condition element (clause): 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "54.197.25.93/32"
          ]
        }
      },
      "Resource": "arn:aws:es:us-east-1:123456789012:
                   domain/cloudconformity-es-cluster/*"
    }
  ]
}

02 Now run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Elasticsearch domain that you want to reconfigure (see Audit section part II to identify the right ES resource) to replace the existing access policy with the one defined at the previous step (i.e. es-ip-based-access-policy.json): 

aws es update-elasticsearch-domain-config
	--domain-name cloudconformity-es-cluster
	--region us-east-1
	--access-policies file://es-ip-based-access-policy.json

03 The command output should return the configuration metadata for the modified Elasticsearch domain (new access policy highlighted): 

{
    "DomainConfig": {
        "ElasticsearchClusterConfig": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 6,
                "UpdateDate": 1480673260.278
            },
            "Options": {
                "DedicatedMasterEnabled": false,
                "InstanceCount": 2,
                "ZoneAwarenessEnabled": true,
                "InstanceType": "m3.large.elasticsearch"
            }
        },


        ...


        "AccessPolicies": {
            "Status": {
                "PendingDeletion": false,
                "State": "Processing",
                "CreationDate": 1480672766.759,
                "UpdateVersion": 9,
                "UpdateDate": 1480676705.668
            },
            "Options": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/cloudconformity-es-cluster/*\",\"Condition\":{\"IpAddress\":{\"aws:SourceIp\":\"54.197.25.93/32\"}}}]}"
        }
    }
}

04 Repeat steps no. 1 - 3 to update (replace) the policies for other Elasticsearch domains available in the current region in order to block anonymous access.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire process for other regions.

References

Publication date Dec 3, 2016

Related Elasticsearch rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Elasticsearch Domain Exposed

Risk level: High