Es cross account access remediation

Using Console

Using CLI

To remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS, you can follow the below steps using AWS CLI:

Open the AWS CLI and run the following command to get the Elasticsearch domain ARN:
```
aws es list-domain-names
```

Once you have the Elasticsearch domain ARN, run the following command to update the Elasticsearch domain access policy to restrict cross-account access:

aws es update-elasticsearch-domain-config --domain-name <domain-name> --cognito-options Enabled=false --access-policies '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "*"},"Action": "es:*","Resource": "<domain-arn>","Condition": {"IpAddress": {"aws:SourceIp": ["<your-ip-address>/32"]}}}]}'

Replace <domain-name> with the name of your Elasticsearch domain and <domain-arn> with the ARN of your Elasticsearch domain.

Verify that the access policy has been updated by running the following command:
```
aws es describe-elasticsearch-domain-config --domain-name <domain-name>
```
This command will return the current configuration of the Elasticsearch domain.

By following these steps, you can successfully remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS.

Using Python

To remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS using Python, you can follow these steps:

Create a new Elasticsearch Domain Policy that restricts cross-account access.

import boto3
import json

client = boto3.client('es')

# Define the new Elasticsearch Domain Policy
policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::123456789012:root",
                        "arn:aws:sts::123456789012:assumed-role/MyRole/*"
                    ]
                }
            }
        }
    ]
}

# Convert the policy to a JSON string
policy_json = json.dumps(policy)

# Update the Elasticsearch Domain Policy
response = client.update_elasticsearch_domain_config(
    DomainName='my-domain',
    ElasticsearchClusterConfig={
        'InstanceType': 'm3.medium.elasticsearch',
        'InstanceCount': 2,
        'DedicatedMasterEnabled': False,
        'ZoneAwarenessEnabled': False
    },
    EBSOptions={
        'EBSEnabled': True,
        'VolumeType': 'gp2',
        'VolumeSize': 10
    },
    ElasticsearchVersion='7.1',
    AccessPolicies=policy_json
)

Replace the existing Elasticsearch Domain Policy with the new policy.

import boto3
import json

client = boto3.client('es')

# Get the existing Elasticsearch Domain Policy
response = client.describe_elasticsearch_domain_config(DomainName='my-domain')
existing_policy_json = response['DomainConfig']['AccessPolicies']

# Parse the existing policy JSON string
existing_policy = json.loads(existing_policy_json)

# Modify the policy to restrict cross-account access
modified_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::123456789012:root",
                        "arn:aws:sts::123456789012:assumed-role/MyRole/*"
                    ]
                }
            }
        }
    ]
}

# Convert the modified policy to a JSON string
modified_policy_json = json.dumps(modified_policy)

# Update the Elasticsearch Domain Policy
response = client.update_elasticsearch_domain_config(
    DomainName='my-domain',
    ElasticsearchClusterConfig={
        'InstanceType': 'm3.medium.elasticsearch',
        'InstanceCount': 2,
        'DedicatedMasterEnabled': False,
        'ZoneAwarenessEnabled': False
    },
    EBSOptions={
        'EBSEnabled': True,
        'VolumeType': 'gp2',
        'VolumeSize': 10
    },
    ElasticsearchVersion='7.1',
    AccessPolicies=modified_policy_json
)

Note: Replace the DomainName and Resource ARNs in the policy with your own Elasticsearch Domain and ARNs. Also, replace the PrincipalArn values in the policy with the ARNs of the IAM users or roles that should have access to the domain.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Es cross account access remediation

Triage and Remediation

Remediation