Skip to content

Ensure that the domain is behind a VPC

Description

Ensures that the Elasticsearch Domain is behind a Virtual Private Cloud (VPC). Elasticsearch in AWS instances can be deployed to a VPC, a service which allows building of a virtual network which is logically isolated in the AWS Cloud.

If deployed, this service offers the following components:

  • A VPC
  • Subnet
  • Internet Gateway
  • NAT Gateway
  • Virtual private gateway
  • Peering Connection
  • VPC Endpoints
  • Egress-only Internet Gateway

Rationale

Deploying Elasticsearch to a VPC allows for stronger controls over network access. VPCs provide more advanced and granular security controls over their services, including how the services are exposed to the internet. This can help to decrease the number of attack vectors on the service.

More information about VPCs can be found at https://aws.amazon.com/vpc/.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if the domain is behind a VPC
 */
function validate(databaseSettings) {
    const success = databaseSettings.awsDatabaseInstance &&
                    databaseSettings.awsDatabaseInstance.elasticsearchDomain &&
                    databaseSettings.awsDatabaseInstance.elasticsearchDomain.vpcOptions &&
                    !!databaseSettings.awsDatabaseInstance.elasticsearchDomain.vpcOptions.vpcId;

    return {
        success,
    }
}

// invoke
validate(databaseSettings);