ElasticSearch Domains Should Be Launched With Private VPC Endpoints

More Info:

ElasticSearch domains should be created with private VPC endpoint options. ElasticSearch domains can either be created with a public endpoint or with a VPC configuration that enables internal VPC communication. Domains should be created without a public endpoint to prevent potential public access to the domain.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, PCIDSS, NIST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the ElasticSearch Domains should be launched with private VPC endpoints in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your computer.
Run the following command to create a new VPC endpoint for ElasticSearch:

aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.es --route-table-ids <route-table-id> --subnet-ids <subnet-id> --security-group-ids <security-group-id>

Replace <vpc-id> with the ID of the VPC that contains your ElasticSearch domain. Replace <region> with the region where your ElasticSearch domain is located. Replace <route-table-id> with the ID of the route table that is associated with your subnet. Replace <subnet-id> with the ID of the subnet that contains your ElasticSearch domain. Replace <security-group-id> with the ID of the security group that is associated with your ElasticSearch domain.

Run the following command to modify your ElasticSearch domain to use the VPC endpoint:

aws es modify-elasticsearch-domain-config --domain-name <domain-name> --vpc-options SubnetIds=<subnet-id>,SecurityGroupIds=<security-group-id>

Replace <domain-name> with the name of your ElasticSearch domain. Replace <subnet-id> with the ID of the subnet that contains your ElasticSearch domain. Replace <security-group-id> with the ID of the security group that is associated with your ElasticSearch domain.

Verify that your ElasticSearch domain is now using the VPC endpoint by running the following command:

aws es describe-elasticsearch-domain --domain-name <domain-name> --query 'DomainStatus.EndpointOptions.VPCOptions'

This command should return a JSON object that includes the VPC endpoint information.

Repeat these steps for each ElasticSearch domain that you want to remediate.

Using Python

To remediate this misconfiguration in AWS using Python, you can follow the below steps:

Install the AWS SDK for Python (Boto3) using the following command:
```
pip install boto3
```
Create an EC2 client using the following code:
```
import boto3

ec2 = boto3.client('ec2')
```
Get the VPC ID of the VPC where the ElasticSearch domain is launched using the following code:
```
response = ec2.describe_vpcs(Filters=[{'Name': 'tag:Name', 'Values': ['<VPC_NAME>']}])
vpc_id = response['Vpcs'][0]['VpcId']
```
Replace <VPC_NAME> with the name of the VPC where the ElasticSearch domain is launched.
Create a VPC endpoint for ElasticSearch using the following code:
```
response = ec2.create_vpc_endpoint(
    VpcEndpointType='Interface',
    VpcId=vpc_id,
    ServiceName='com.amazonaws.<REGION>.es',
    PrivateDnsEnabled=True,
    SecurityGroupIds=['<SECURITY_GROUP_ID>'],
    SubnetIds=['<SUBNET_ID>']
)
```
Replace <REGION> with the AWS region where the ElasticSearch domain is launched, <SECURITY_GROUP_ID> with the ID of the security group that allows traffic to the ElasticSearch domain, and <SUBNET_ID> with the ID of the subnet where the ElasticSearch domain is launched.

Update the ElasticSearch domain to use the VPC endpoint by setting the VPCOptions parameter using the following code:

import boto3

es = boto3.client('es')

response = es.update_elasticsearch_domain_config(
    DomainName='<DOMAIN_NAME>',
    ElasticsearchClusterConfig={
        'DedicatedMasterEnabled': False,
        'InstanceCount': 1,
        'InstanceType': '<INSTANCE_TYPE>',
        'ZoneAwarenessEnabled': False
    },
    EBSOptions={
        'EBSEnabled': True,
        'VolumeSize': 10,
        'VolumeType': 'gp2'
    },
    VPCOptions={
        'SubnetIds': ['<SUBNET_ID>'],
        'SecurityGroupIds': ['<SECURITY_GROUP_ID>'],
        'VpcId': vpc_id
    },
    CognitoOptions={
        'Enabled': False
    },
    AdvancedOptions={
        'rest.action.multi.allow_explicit_index': 'true'
    }
)

Replace <DOMAIN_NAME> with the name of the ElasticSearch domain, <INSTANCE_TYPE> with the desired instance type for the ElasticSearch cluster, <SUBNET_ID> with the ID of the subnet where the ElasticSearch domain is launched, and <SECURITY_GROUP_ID> with the ID of the security group that allows traffic to the ElasticSearch domain.

Verify that the ElasticSearch domain is now using the VPC endpoint by checking the VPCOptions parameter using the following code:
```
response = es.describe_elasticsearch_domain_config(
    DomainName='<DOMAIN_NAME>'
)

vpc_options = response['DomainConfig']['VPCOptions']
print(vpc_options)
```
Replace <DOMAIN_NAME> with the name of the ElasticSearch domain.

By following these steps, you can remediate the misconfiguration of ElasticSearch domains not being launched with private VPC endpoints in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

ElasticSearch Domains Should Be Launched With Private VPC Endpoints

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: