Elasticsearch Domains Should Not Allow Cross Account Access

More Info:

All your Elasticsearch Service (ES) clusters should be configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access

Risk Level

High

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS, you can follow the below steps using AWS CLI:

Open the AWS CLI and run the following command to get the Elasticsearch domain ARN:
```
aws es list-domain-names
```

Once you have the Elasticsearch domain ARN, run the following command to update the Elasticsearch domain access policy to restrict cross-account access:

aws es update-elasticsearch-domain-config --domain-name <domain-name> --cognito-options Enabled=false --access-policies '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "*"},"Action": "es:*","Resource": "<domain-arn>","Condition": {"IpAddress": {"aws:SourceIp": ["<your-ip-address>/32"]}}}]}'

Replace <domain-name> with the name of your Elasticsearch domain and <domain-arn> with the ARN of your Elasticsearch domain.

Verify that the access policy has been updated by running the following command:
```
aws es describe-elasticsearch-domain-config --domain-name <domain-name>
```
This command will return the current configuration of the Elasticsearch domain.

By following these steps, you can successfully remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS.

Using Python

To remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS using Python, you can follow these steps:

Create a new Elasticsearch Domain Policy that restricts cross-account access.

import boto3
import json

client = boto3.client('es')

# Define the new Elasticsearch Domain Policy
policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::123456789012:root",
                        "arn:aws:sts::123456789012:assumed-role/MyRole/*"
                    ]
                }
            }
        }
    ]
}

# Convert the policy to a JSON string
policy_json = json.dumps(policy)

# Update the Elasticsearch Domain Policy
response = client.update_elasticsearch_domain_config(
    DomainName='my-domain',
    ElasticsearchClusterConfig={
        'InstanceType': 'm3.medium.elasticsearch',
        'InstanceCount': 2,
        'DedicatedMasterEnabled': False,
        'ZoneAwarenessEnabled': False
    },
    EBSOptions={
        'EBSEnabled': True,
        'VolumeType': 'gp2',
        'VolumeSize': 10
    },
    ElasticsearchVersion='7.1',
    AccessPolicies=policy_json
)

Replace the existing Elasticsearch Domain Policy with the new policy.

import boto3
import json

client = boto3.client('es')

# Get the existing Elasticsearch Domain Policy
response = client.describe_elasticsearch_domain_config(DomainName='my-domain')
existing_policy_json = response['DomainConfig']['AccessPolicies']

# Parse the existing policy JSON string
existing_policy = json.loads(existing_policy_json)

# Modify the policy to restrict cross-account access
modified_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::123456789012:root",
                        "arn:aws:sts::123456789012:assumed-role/MyRole/*"
                    ]
                }
            }
        }
    ]
}

# Convert the modified policy to a JSON string
modified_policy_json = json.dumps(modified_policy)

# Update the Elasticsearch Domain Policy
response = client.update_elasticsearch_domain_config(
    DomainName='my-domain',
    ElasticsearchClusterConfig={
        'InstanceType': 'm3.medium.elasticsearch',
        'InstanceCount': 2,
        'DedicatedMasterEnabled': False,
        'ZoneAwarenessEnabled': False
    },
    EBSOptions={
        'EBSEnabled': True,
        'VolumeType': 'gp2',
        'VolumeSize': 10
    },
    ElasticsearchVersion='7.1',
    AccessPolicies=modified_policy_json
)

Note: Replace the DomainName and Resource ARNs in the policy with your own Elasticsearch Domain and ARNs. Also, replace the PrincipalArn values in the policy with the ARNs of the IAM users or roles that should have access to the domain.

Additional Reading:

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Elasticsearch Domains Should Not Allow Cross Account Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: