lacework-global-809
ElasticSearch Domain should be in Virtual Private Cloud (VPC) (Automated)
Description
The policy checks whether ElasticSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. Ensure that Elasticsearch domains are not attached to public subnets. Configure the VPC in line with recommended best practices, see: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html for more information.
Deploying within a VPC means that Elasticsearch domains can communicate with VPC resources over the private AWS network without needing to travel through the public internet. This increases security posture by limiting data access in transit. VPCs provide a number of network controls to secure access to Elasticsearch domains, including Network Access Control Lists (NACL) and security groups. Migrate public Elasticsearch domains to VPCs to take advantage of these controls. Note that there is currently no way to switch from Public Access to VPC Access, instead you must delete and recreate the Elasticsearch domain.
Remediation
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Analytics > Amazon OpenSearch Service.
- Click Create domain.
- Enter a name for the domain.
- Under Network > VPC, select a VPC.
- Click Create.
From CLI:
Create a new domain, setting the following vpc options:
aws es create-elasticsearch-domain --domain-name <domain_name> --vpc-options SubnetIds=<list_of_subnet_ids>,SecurityGroupIds=<list_of_security_group_ids>
Follow up by deleting the violating domain:
aws es delete-elasticsearch-domain --domain-name <domain_name>
References
https://docs.aws.amazon.com/securityhub/latest/userguide/es-controls.html#es-2
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html