The Elasticsearch domain should block unsigned requests over the public internet

Description

Update publicly accessible Amazon Elasticsearch domains to block unsigned requests.

Rationale

Updating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.

Remediation

OpenSearch

If you are using OpenSearch Service Domains, refer to Amazon’s guide for creating and managing Amazon OpenSearch Service domains for both console and CLI remediation actions.

From the console

Follow the Configuring Access Policies docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.

From the command line

  1. Create a new policy JSON document. You can follow the Amazon Elasticsearch templated policy to create a custom policy that grants domain access only to a specific IP.

    ip-based-policy.json

        {
        ...
        "Statement": [
            ...
            "Action": "es:*",
            "Condition": {
                "IpAddress": {
                "aws:SourceIp": [
                    "54.197.25.93/32"
                ]
                }
            },
            "Resource": "arn:aws:es:123456789123:
                        domain/es-cluster/*"
            }
        ]
        }
        
  2. Run update-elasticsearch-domain-config using the name of the Elasticsearch domain created in the previous step.

    ip-based-policy.json

        aws es update-elasticsearch-domain-config
            --domain-name es-cluster
            --access-policies file://ip-based-policy.json