Enforce creation of ElasticSearch domains within your VPCs

Placing an Amazon ES domain within a VPC enables secure communication between Amazon ES and other services within the VPC without the need for an internet gateway, NAT device, or VPN connection. All traffic remains securely within the AWS Cloud. Because of their logical isolation, domains that reside within a VPC have an extra layer of security when compared to domains that use public endpoints.

Risk Level: Medium
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.AWS.NET.53
Covered by Spectral: Yes
Category: Analytics

GSL LOGIC

ElasticSearchDomain should have vpc

REMEDIATION

From Portal:
In order to support VPCs, Amazon ES places an endpoint into one, two, or three subnets of your VPC. If you enable multiple Availability Zones for your domain, each subnet must be in a different Availability Zone in the same region. If you only use one Availability Zone, Amazon ES places an endpoint into only one subnet. If you launch a new domain within a VPC, you can't later switch it to use a public endpoint. The reverse is also true: If you create a domain with a public endpoint, you can't later place it within a VPC. Instead, you must create a new domain and migrate your data. To migrate your AWS Elasticsearch domains from public access to VPC access, you must unload the existing data from the domain to Amazon S3 then upload this data in a new ES cluster, launched within a Virtual Private Cloud.

Perform the following steps to relaunch and configure your Elasticsearch cluster within an AWS VPC.

  1. Sign in to the AWS Management Console and Navigate to Elasticsearch dashboard.
  2. Click on the ES domain that you want to relaunch.
  3. On the selected ES domain description page, click the Configure cluster button from the dashboard top menu.
  4. Copy the selected cluster configuration information such as Instance count, Instance type, Dedicated master instance type, Dedicated master instance count, Storage Type, EBS volume size, etc.
  5. On the Set up access policy page, copy the access policy available in the Add or edit the access policy text box.
  6. Go back to the AWS ES service dashboard and click the Create new domain button from the dashboard top menu to launch a new Elasticsearch domain.
  7. On the Define domain page, perform the following actions:
    a. Provide a unique name for the new ES domain in the Elasticsearch domain name box.
    b. Select the right version of the Elasticsearch engine from the Elasticsearch version dropdown list.
    c. Click Next to continue the setup process.
  8. On the Configure cluster page, set the new domain parameters using the configuration details copied previously and click Next to continue.
  9. Perform the following actions on the Set up access page of the new domain.
    a. Inside Network configuration section, choose VPC access option to launch the domain within a VPC, then select the VPC identifier from the VPC dropdown list, an available subnet from the Subnet list and security groups.
    b. Under Access policy section, paste the access policy copied details into the Add or edit the access policy box or simply select a pre-configured policy from the Set the domain access policy to dropdown list and edit it to meet the needs of your ES domain.
    c. Click Next to continue the process.
  10. On the Review page, verify the domain configuration and its access policy.
  11. Click Confirm and create to launch the new AWS Elasticsearch domain within the specified VPC.
  12. Once the new AWS ES domain is created, upload the data from the source cluster to the new cluster.
  13. Now it is safe to remove the publicly accessible domain.
  14. Perform the following to delete the source domain.
    a. Click on the name of the domain that you want to remove.
    b. On the selected domain description page, click Delete Elasticsearch domain to expand the section panel then click Delete domain button to start the removal process.
    c. Under Delete domain dialog box, check Delete the domain then click the Delete button to confirm the action.

From Command Line:

  1. Run following command to relaunch the selected Amazon Elasticsearch domain into an AWS VPCs.
aws es create-elasticsearch-domain --region region_name --domain-name Elasticsearch_domain_name --elasticsearch-version version_number --elasticsearch-cluster-config InstanceType=elasticsearch_instance_type,InstanceCount=value --ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=value --vpc-options SubnetIds=subnet_ID,SecurityGroupIds=sg_ID

2.Upload the existing data to the newly created cluster. You can remove the old publicly accessible Elasticsearch domain once all the data is uploaded. Use following command to delete the domain.

aws es delete-elasticsearch-domain --region region_name --domain-name Elasticsearch_domain_name

References:

  1. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-prerequisites-vpc-endpoints
  2. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-creating-vpc
  3. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc
  4. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgcreate-domain.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset