Ensure that all your Elasticsearch Service (ES) clusters are configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access. Prior to running this rule by the Cloud Conformity engine you need to provide the friendly account identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012), AWS account ARNs (e.g. arn:aws:iam::123456789012:root) or IAM user ARNs (e.g. arn:aws:iam::123456789012:user/elasticsearch-manager).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing untrustworthy cross account access to your AWS ES clusters can lead to unauthorized actions such as uploading, downloading and deleting documents without permission. To prevent data leaks and data loss, restrict access only to the trusted entities by implementing the appropriate access policies.
To determine if there are any AWS ES domains (clusters) that allow unknown cross account access, perform the following:
Remediation / Resolution
To update your Amazon ElasticSearch clusters permissions in order to allow cross account access only from trusted entities, perform the following:
- AWS Documentation
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 3: Configuring an Access Policy for an Amazon ES Domain
- AWS Policy Generator
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Elasticsearch Cross Account Access
Risk level: High