Ensure that your Amazon Elasticsearch (ES) domains (clusters) are accessible only from AWS VPCs for better flexibility and control over the clusters access and security as this feature lets you keep all traffic between your VPC and Elasticsearch domains within the AWS network instead of going over the public Internet.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
AWS Elasticsearch domains that reside within a VPC have an extra layer of security when compared to ES domains that use public endpoints. Launching an Amazon ES cluster within an AWS VPC enables secure communication between the ES cluster (domain) and other AWS services without the need for an Internet Gateway, a NAT device or a VPN connection and all traffic remains secure within the AWS Cloud.
Audit
To determine the access endpoint configuration for your existing Elasticsearch domains, perform the following:
Remediation / Resolution
To migrate your AWS Elasticsearch domains from public access to VPC access (recommended), you must unload the existing data from the domain (cluster) to Amazon S3 then upload this data in a new ES cluster, launched within a Virtual Private Cloud. To relaunch and configure your Elasticsearch cluster(s) within an AWS VPC, perform the following actions:
References
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Amazon Elasticsearch Service announces support for Amazon Virtual Private Cloud (VPC)
- VPC Support for Amazon Elasticsearch Service Domains
- Step 3: Upload Data to an Amazon ES Domain for Indexing
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- create-elasticsearch-domain
- delete-elasticsearch-domain
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Elasticsearch Domain In VPC
Risk level: Medium