Description: 

Elasticsearch Service is a managed service that makes it easy to deploy, operate, and scale Elasticsearch, a popular open-source search, and analytics engine. Amazon ES also offers security options, high availability, data durability, and direct access to the Elasticsearch API. 


Rationale:

 Open access to the Elasticsearch domains fails to protect the domains against unauthorized access. Hence, the pre-configured access policies must be re-configured and customized according to one’s needs.

Impact:

Blocks anonymous access to the Amazon Elasticsearch domains by restricting open access. Because a domain with open access will accept requests to create, view, modify and delete data from the Amazon Elasticsearch domain from any party on the Internet.

 

Default Value:

 When choosing the Access policy while creating the ES domain, AWS suggests Do not to set domain-level access that policy which denies all the requests to the domain. 


Pre-Requisites:

  • Ensure that the existing policy of the ES Domain is copied to a document (JSON) somewhere else.


Remediation:

Test plan:

  1. Sign in to the AWS Management Console

  2. Navigate to Amazon OpenSearch (successor to Elasticsearch) at https://console.aws.amazon.com/esv3/

  3. Select an ES domain required from the list of available domains

  4. Under the Security Configuration tab, scroll down to view the Access Policy



5. In the policy document, look for Principal attributes and other conditional clauses.


6. If the Principal doesn’t contain arn of an AWS resource but has something similar to AWS: * , it means that the respective ES Domain has open access and hence is exposed to the internet.

7. But if the Effect is to Deny, the ES Domain doesn’t allow open access.

 Using AWS CLI:

aws es describe-elasticsearch-domain
  --domain-name <value>
  --region <value>
  --query 'DomainStatus.AccessPolicies'
  [--cli-input-json <value>]
  [--generate-cli-skeleton <value>]

 Implementation steps:

  1. Sign in to the AWS Management Console

  2. Go to the Amazon OpenSearch service(successor to Elasticsearch) at https://console.aws.amazon.com/esv3/

  3. Choose a publicly accessible ES domain required from the list of available domains.

  4. Under the  Security Configuration tab, click Edit 

  5. Edit the policy using either Visual Editor or JSON to meet your compliance requirements. 

6. You can also choose to Import a policy from another ES domain 

7. Click Save Changes to apply the changes to the access policy.


Using AWS CLI:

aws es update-elasticsearch-domain-config
  --domain-name <value>
  --region <value>
  --access-policies <file://filename.json>


Backout Plan:


Follow the steps as mentioned in the Implementation process and update the policy to its previous state. 


Using AWS CLI:

Use update-elasticsearch-domain-config command with the file that contains the copy of the original policy.

aws es update-elasticsearch-domain-config
  --domain-name <value>
  --region <value>
  --access-policies <file://filename.json>

Note:

  • Immediately after updating a policy, the Elasticsearch domain status changes from Active to Processing.

  • When the status turns Active again, the access policy takes effect.

  • To protect domains with public access, a restrictive policy or fine-grained access control is required.



Reference: 

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain 


What is Amazon OpenSearch Service? - Amazon OpenSearch Service