AWS-ES-ElasticSearch-Exposed-Domain

Severity : Critical

Description: This control ensures that AWS Elasticsearch Service domains are not publicly accessible. AWS Elasticsearch Service domains that are within VPC have an additional layer of security as all traffic remains secure within the AWS Cloud. Allowing anonymous access to ES domains is not recommended. It is recommended to update access policy for these ES domains in order to stop any unsigned requests made to these resources from all AWS accounts.

Remediation Steps:

Perform following to update access policy for ES Service domains:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to ES console in service.

3. In left navigation , select Domains.

4. Select domain reported and choose Actions and Edit security configuration.

5. Edit the access policy JSON to create a resource based access policy with least privilege configuration.

6. Select Enable fine-grained access control.

7. Choose Set IAM ARN as master user and specify the ARN for an IAM role.

8. Select Enable migration period for open/IP-based access policy to enable a transition duration for existing users

9. Choose Save changes.

Important:

• Fine-grained access control requires OpenSearch or Elasticsearch 6.7 or later.

Reference:

• https://docs.aws.amazon.com/cli/latest/reference/es/create-elasticsearch-domain.html

• https://aws.amazon.com/blogs/database/set-access-control-for-amazon-elasticsearch-service

• https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-enabling

• https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html