Elasticsearch Domains Should Not Be Publicly Exposed

More Info:

AWS Elasticsearch domains should not be publicly accessible their access policy should be updated in order to stop any unsigned requests made to these resources

Risk Level

High

Address

Security

Compliance Standards

HITRUST, AWSWAF, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the Elasticsearch domain publicly exposed issue in AWS using AWS CLI, you can follow the below steps:Step 1: Login to AWS CLI using your AWS account credentials.Step 2: Run the following command to get the Elasticsearch domain endpoint:

aws es list-domain-names

Step 3: Once you have the Elasticsearch domain endpoint, run the following command to update the Elasticsearch domain access policy and restrict access to only authorized IP addresses:

aws es update-elasticsearch-domain-config --domain-name <your-domain-name> --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:*","Condition":{"IpAddress":{"aws:SourceIp":["<your-ip-address>/32"]}}},{"Effect":"Deny","Principal":{"AWS":"*"},"Action":"es:*","Condition":{"NotIpAddress":{"aws:SourceIp":["<your-ip-address>/32"]}}}]}'

Note: Replace <your-domain-name> with the name of your Elasticsearch domain and <your-ip-address> with the IP address you want to allow access to.Step 4: Verify that the Elasticsearch domain access policy has been updated successfully by running the following command:

aws es describe-elasticsearch-domain --domain-name <your-domain-name> --query "DomainStatus.AccessPolicies"

Step 5: Test the Elasticsearch domain access by trying to access it from an IP address that is not authorized. You should receive an error message indicating that access is denied.By following the above steps, you can remediate the Elasticsearch domain publicly exposed issue in AWS using AWS CLI and restrict access to only authorized IP addresses.

Using Python

To remediate the Elasticsearch Domains should not be publicly exposed misconfiguration in AWS, you can use the following steps using Python:

First, you need to identify the Elasticsearch domains that are publicly exposed. You can do this by using the AWS SDK for Python (Boto3) to list all the Elasticsearch domains in your account and check if they have public access policies attached to them.

import boto3

es_client = boto3.client('es')

# List all Elasticsearch domains
response = es_client.list_domain_names()

for domain in response['DomainNames']:
    domain_name = domain['DomainName']
    domain_info = es_client.describe_elasticsearch_domain(DomainName=domain_name)
    
    # Check if the domain has a public access policy
    if 'Endpoint' in domain_info['DomainStatus']:
        endpoint = domain_info['DomainStatus']['Endpoint']
        policies = es_client.describe_elasticsearch_domain_config(DomainName=domain_name)['DomainConfig']['AccessPolicies']
        if 'Statement' in policies:
            for statement in policies['Statement']:
                if 'Effect' in statement and statement['Effect'] == 'Allow':
                    if 'Principal' in statement and statement['Principal'] == '*':
                        print(f'Elasticsearch domain {domain_name} is publicly accessible at {endpoint}')

Once you have identified the publicly exposed Elasticsearch domains, you need to update their access policies to restrict public access. You can do this by using the update_elasticsearch_domain_config API to update the access policies of the domain.

import json

# Update access policies to restrict public access
policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": f"arn:aws:es:{region}:{account_id}:domain/{domain_name}/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "10.0.0.0/8",
                        "172.16.0.0/12",
                        "192.168.0.0/16"
                    ]
                }
            }
        }
    ]
}

policies = json.dumps(policy)

# Update the access policies of the domain
response = es_client.update_elasticsearch_domain_config(
    DomainName=domain_name,
    AccessPolicies=policies
)

print(f'Access policies updated for Elasticsearch domain {domain_name}')

Finally, you need to verify that the access policies have been updated successfully and the Elasticsearch domains are no longer publicly accessible. You can use the same code as in step 1 to check if the domains have public access policies attached to them.

# List all Elasticsearch domains
response = es_client.list_domain_names()

for domain in response['DomainNames']:
    domain_name = domain['DomainName']
    domain_info = es_client.describe_elasticsearch_domain(DomainName=domain_name)
    
    # Check if the domain has a public access policy
    if 'Endpoint' in domain_info['DomainStatus']:
        endpoint = domain_info['DomainStatus']['Endpoint']
        policies = es_client.describe_elasticsearch_domain_config(DomainName=domain_name)['DomainConfig']['AccessPolicies']
        if 'Statement' in policies:
            for statement in policies['Statement']:
                if 'Effect' in statement and statement['Effect'] == 'Allow':
                    if 'Principal' in statement and statement['Principal'] == '*':
                        print(f'Elasticsearch domain {domain_name} is still publicly accessible at {endpoint}')

By following these steps, you can remediate the Elasticsearch Domains should not be publicly exposed misconfiguration in AWS using Python.

Additional Reading:

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Elasticsearch Domains Should Not Be Publicly Exposed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: