ElasticSearch Should Use HTTPS Only

More Info:

ElasticSearch domains are configured to enforce HTTPS connections. ElasticSearch domains should be configured to enforce HTTPS connections for all clients to ensure encryption of data in transit.

Risk Level

Low

Address

Security

Compliance Standards

AWSWAF, HITRUST, SOC2, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the ElasticSearch misconfiguration of using HTTPS only in AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI and run the following command to get the current status of the ElasticSearch domain:
```
aws es describe-elasticsearch-domain --domain-name <domain-name>
```
Replace <domain-name> with the name of your ElasticSearch domain.
Check the output of the above command for the value of the EncryptionAtRestOptions parameter. If it is not set to Enabled, then run the following command to enable encryption at rest:
```
aws es update-elasticsearch-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=true
```
Replace <domain-name> with the name of your ElasticSearch domain.

Next, run the following command to update the ElasticSearch domain to use HTTPS only:

aws es update-elasticsearch-domain-config --domain-name <domain-name> --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=false,MasterUserOptions.Enabled=false,NodeToNodeEncryptionOptions.Enabled=false,EncryptionAtRestOptions.Enabled=true,HTTPSEnabled=true

Replace <domain-name> with the name of your ElasticSearch domain.

After running the above command, wait for a few minutes for the changes to take effect. You can check the status of the ElasticSearch domain again by running the describe-elasticsearch-domain command.
```
aws es describe-elasticsearch-domain --domain-name <domain-name>
```
If the output of this command shows that the HTTPSEnabled parameter is set to true, then the ElasticSearch domain is now using HTTPS only.

By following these steps, you can remediate the ElasticSearch misconfiguration of using HTTPS only in AWS using AWS CLI.

Using Python

To remediate this misconfiguration on AWS using Python, you can follow the steps below:

Install the AWS SDK for Python (Boto3) by running the following command in your terminal:

pip install boto3

Create an AWS ElasticSearch client using the Boto3 library:

import boto3

es_client = boto3.client('es')

Get the ElasticSearch domain configuration using the describe_elasticsearch_domain method:

domain_name = 'your-domain-name'
domain_config = es_client.describe_elasticsearch_domain(DomainName=domain_name)

Check if the ElasticSearch domain is using HTTPS only by looking at the DomainStatus dictionary:

domain_status = domain_config['DomainStatus']
if domain_status['EncryptionAtRestOptions']['Enabled'] and domain_status['NodeToNodeEncryptionOptions']['Enabled'] and domain_status['AdvancedSecurityOptions']['Enabled']:
    print('ElasticSearch domain is already using HTTPS only')
else:
    # Remediate the misconfiguration

If the ElasticSearch domain is not using HTTPS only, update the domain configuration using the update_elasticsearch_domain_config method:

from botocore.exceptions import ClientError

try:
    response = es_client.update_elasticsearch_domain_config(
        DomainName=domain_name,
        AdvancedSecurityOptions={
            'Enabled': True,
            'InternalUserDatabaseEnabled': False,
            'MasterUserOptions': {
                'MasterUserARN': 'arn:aws:iam::123456789012:user/elasticsearch-master-user',
                'MasterUserName': 'elasticsearch-master-user',
                'MasterUserPassword': 'your-password'
            }
        }
    )
    print('ElasticSearch domain configuration updated successfully')
except ClientError as e:
    print('Error updating ElasticSearch domain configuration: {}'.format(e))

Verify that the ElasticSearch domain is now using HTTPS only by checking the DomainStatus dictionary again:

domain_config = es_client.describe_elasticsearch_domain(DomainName=domain_name)
domain_status = domain_config['DomainStatus']
if domain_status['EncryptionAtRestOptions']['Enabled'] and domain_status['NodeToNodeEncryptionOptions']['Enabled'] and domain_status['AdvancedSecurityOptions']['Enabled']:
    print('ElasticSearch domain is now using HTTPS only')
else:
    print('Failed to remediate ElasticSearch misconfiguration')

Note: In the code above, we assume that the ElasticSearch domain is not using VPC and that you have an IAM user with the necessary permissions to update the ElasticSearch domain configuration. Also, make sure to replace your-domain-name and your-password with the actual values for your ElasticSearch domain.

Additional Reading:

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ElasticSearch Should Use HTTPS Only

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: