Skip to content

Ensure that the domain is not publicly accessible


Identify any publicly accessible AWS Elasticsearch domains and update their access policy in order to stop any unsigned requests made to the ES clusters.


To protect your Elasticsearch domains against unauthorized access, AWS ElasticSearch provides preconfigured access policies such as resource-based, IP-based and IAM user/role-based policies, and it allows you to customize the ones you need, or also the ability to import access policies from other AWS ES domains.

Applies To

  • Databases


This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if the domain is not publicly accesible
function validate(databaseSettings) {

    const success =
        databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain &&
           (databaseSettings.awsDatabaseInstance.elasticsearchDomain.vpcOptions &&
            !!databaseSettings.awsDatabaseInstance.elasticsearchDomain.vpcOptions.vpcId) ||

            !!databaseSettings.awsDatabaseInstance.elasticsearchDomain.accessPolicies ||

            (databaseSettings.awsDatabaseInstance.elasticsearchDomain.advancedSecurityOptions &&

    return {

// invoke