Unrestricted Elasticsearch Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP port 9200 (Elasticsearch).

Risk Level

Medium

Address

Security

Compliance Standards

CBP, AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate unrestricted Elasticsearch access in AWS using AWS CLI, follow these steps:

Open the AWS CLI and run the following command to list all Elasticsearch domains in your account:
```
aws es list-domain-names
```
Identify the Elasticsearch domain that has unrestricted access.
Run the following command to update the Elasticsearch domain’s access policy to restrict access:
```
aws es update-elasticsearch-domain-config --domain-name <domain-name> --advanced-security-options 'Enabled=true,InternalUserDatabaseEnabled=true,MasterUserOptions={MasterUserName=<master-username>,MasterUserPassword=<master-password>}'
```
Replace <domain-name> with the name of the Elasticsearch domain and <master-username> and <master-password> with the credentials for the Elasticsearch master user.
Verify that access to the Elasticsearch domain is now restricted by running the following command:
```
aws es describe-elasticsearch-domain-config --domain-name <domain-name>
```
This command should return the updated access policy for the Elasticsearch domain.
Ensure that you have a backup of the Elasticsearch domain before making any changes to it.

Using Python

To remediate unrestricted Elasticsearch access in AWS using Python, you can follow these steps:

Install the AWS SDK for Python (Boto3) using the following command:

pip install boto3

Create an AWS Identity and Access Management (IAM) client using the following code snippet:

import boto3

# Create IAM client
iam = boto3.client('iam')

Create an Elasticsearch service client using the following code snippet:

import boto3

# Create Elasticsearch service client
es = boto3.client('es')

Use the Elasticsearch service client to retrieve the Elasticsearch domain policies using the following code snippet:

import boto3

# Create Elasticsearch service client
es = boto3.client('es')

# Retrieve Elasticsearch domain policies
response = es.describe_elasticsearch_domain_config(
    DomainName='your-domain-name'
)

# Extract the Elasticsearch domain policies
policies = response['DomainConfig']['AccessPolicies']

Check if the Elasticsearch domain policies allow unrestricted access using the following code snippet:

import json

# Check if Elasticsearch domain policies allow unrestricted access
if '{"Effect":"Allow","Principal":"*","Action":"es:*","Resource":"arn:aws:es:*:*:domain/your-domain-name/*"}' in policies:
    # Remove the unrestricted access policy
    new_policies = json.loads(policies)
    new_policies['Statement'].remove({
        'Effect': 'Allow',
        'Principal': {'*'},
        'Action': 'es:*',
        'Resource': 'arn:aws:es:*:*:domain/your-domain-name/*'
    })
    new_policies = json.dumps(new_policies)
else:
    # No remediation needed
    new_policies = policies

Use the Elasticsearch service client to update the Elasticsearch domain policies using the following code snippet:

import boto3

# Create Elasticsearch service client
es = boto3.client('es')

# Update Elasticsearch domain policies
response = es.update_elasticsearch_domain_config(
    DomainName='your-domain-name',
    AccessPolicies=new_policies
)

Verify that the remediation was successful by checking the Elasticsearch domain policies again using the following code snippet:

import boto3

# Create Elasticsearch service client
es = boto3.client('es')

# Retrieve Elasticsearch domain policies
response = es.describe_elasticsearch_domain_config(
    DomainName='your-domain-name'
)

# Extract the Elasticsearch domain policies
policies = response['DomainConfig']['AccessPolicies']

By following these steps, you can remediate unrestricted Elasticsearch access in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted Elasticsearch Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: