Identify any publicly accessible AWS Elasticsearch domains and update their access policy in order to stop any unsigned requests made to these resources (ES clusters).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing anonymous access to your ES domains is not recommended and is considered bad practice. To protect your domains against unauthorized access, Amazon ElasticSearch Service provides preconfigured access policies (resource-based, IP-based and IAM user/role-based policies) that you can customize as needed, as well as the ability to import access policies from other AWS ES domains.
To determine if your Elasticsearch domains are opened to the world, perform the following:
Remediation / Resolution
To block anonymous access to your Amazon ElasticSearch domains, perform the following actions:
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 3: Configuring an Access Policy for an Amazon ES Domain
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Elasticsearch Domain Exposed
Risk level: High