AWS-ES-ElasticSearch-Public-Service-Domain

Severity: High

Description: This control ensures that AWS Elasticsearch Service domains are not publicly accessible. AWS Elasticsearch Service domains that are within VPC have an additional layer of security as all traffic remains secure within the AWS Cloud.

Remediation Steps:

Perform following to remove public assess from ES Service domains:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to ES console.

3. Step 1: Migrate data from one ES to another ES in AWS

   1. Register the same manual snapshot repository on both source and destination by referringhttps://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-registerdirectory. 

   2. Take a manual snapshot of the source Elasticsearch domain by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-create. 

   3. Restore the snapshot to the destination domain by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-restore. 

4. Step 2:Create new Elasticsearch Service domain

   1. Navigate to ES console.

   2. Click Create a new domain button.

   3. Fill in appropriate settings for the new Elasticsearch Service domain. 

   4. In the Network configuration section ensure to select VPC access (Recommended) option.

Important:

Network configuration for the Elasticsearch Service domain can't be changed after the domain is created. To change the Network configuration of the domain create a new domain within VPC and migrate old domain data to a new domain.

Reference:

• create-elasticsearch-domain — AWS CLI 1.36.8 Command Reference