The Elasticsearch domain should block unsigned requests over the public internet

Docs > Plateforme de sécurité Datadog > OOTB Rules > The Elasticsearch domain should block unsigned requests over the public internet

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Update publicly accessible Amazon Elasticsearch domains to block unsigned requests.

Rationale

Updating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.

Remediation

OpenSearch

If you are using OpenSearch Service Domains, refer to Amazon’s guide for creating and managing Amazon OpenSearch Service domains for both console and CLI remediation actions.

From the console

Follow the Configuring Access Policies docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.

From the command line

Create a new policy JSON document. You can follow the Amazon Elasticsearch templated policy to create a custom policy that grants domain access only to a specific IP.

ip-based-policy.json

    {
    ...
    "Statement": [
        ...
        "Action": "es:*",
        "Condition": {
            "IpAddress": {
            "aws:SourceIp": [
                "54.197.25.93/32"
            ]
            }
        },
        "Resource": "arn:aws:es:123456789123:
                    domain/es-cluster/*"
        }
    ]
    }
    

Run update-elasticsearch-domain-config using the name of the Elasticsearch domain created in the previous step.

ip-based-policy.json

    aws es update-elasticsearch-domain-config
        --domain-name es-cluster
        --access-policies file://ip-based-policy.json
    