Skip to content

Ensure that the domain is not publicly accessible

Description

Identify any publicly accessible AWS Elasticsearch domains and update their access policy in order to stop any unsigned requests made to the ES clusters.

Rationale

To protect your Elasticsearch domains against unauthorized access, AWS Elasticsearch provides preconfigured access policies such as resource-based, IP-based and IAM user/role-based policies, and it allows you to customize the ones you need, or also the ability to import access policies from other AWS ES domains.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if the domain is not publicly accesible
 */
function validate(databaseSettings) {

    const success =
        databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain &&
        (
           (databaseSettings.awsDatabaseInstance.elasticsearchDomain.vpcOptions &&
            !!databaseSettings.awsDatabaseInstance.elasticsearchDomain.vpcOptions.vpcId) ||

            !!databaseSettings.awsDatabaseInstance.elasticsearchDomain.accessPolicies ||

            (databaseSettings.awsDatabaseInstance.elasticsearchDomain.advancedSecurityOptions &&
             databaseSettings.awsDatabaseInstance.elasticsearchDomain.advancedSecurityOptions.enabled)
        )

    return {
        success,
    }
}

// invoke
validate(databaseSettings);