Description:
This policy ensures that Amazon Elasticsearch Service (ES) and Kibana ports are not exposed to the internet. This is important to do because exposing these ports to the internet could allow attackers to access your data or disrupt your services.
Rationale:
Keeping your ES and Kibana ports closed to the internet is important for the following reasons:
- It helps to protect your data from being compromised.
- It helps to prevent attackers from disrupting your services.
- It helps to improve the security of your ES and Kibana clusters.
Impact:
If you expose your ES and Kibana ports to the internet, you could be at risk of the following:
- Data breaches
- Service disruptions
- Malware infections
Default Value:
AWS will recommend that you keep your ES and Kibana ports closed to the internet.
Pre-Requisite:
- You must have access to the AWS Management Console or the AWS CLI.
- You must have the IAM permissions necessary to manage ES and Kibana clusters.
Remediation Steps:
To ensure that your ES and Kibana ports are not exposed to the internet, you can follow these steps:
- Check the security settings for your ES and Kibana clusters.
- Make sure that the "Access Policy" for your clusters does not allow inbound traffic from the internet.
- If necessary, you can create a new security group for your clusters and restrict inbound traffic to only the IP addresses or ranges that you need to allow.
Test Plan:
To test whether your ES and Kibana ports are exposed to the internet, you can follow these steps:
- Use the AWS Management Console or the AWS CLI to check the security settings for your clusters.
- Try to connect to your ES and Kibana clusters from the internet using the port numbers that are used for these services.
- If you are able to connect to your clusters from the internet, you will need to take steps to close the ports.
Implementation Plan:
To implement this policy, you can follow these steps:
- Create a new security group for your ES and Kibana clusters.
- Restrict inbound traffic to only the IP addresses or ranges that you need to allow.
- Update the security settings for your ES and Kibana clusters to use the new security group.
AWS CLI Process:
To use the AWS CLI to ensure that your ES and Kibana ports are not exposed to the internet, you can use the following commands:
aws ec2 create-security-group --group-name my-es-kibana-sg --description "Security group for ES and Kibana" aws ec2 authorize-security-group-ingress --group-name my-es-kibana-sg --protocol tcp --port 9200 --source-group my-es-kibana-sg aws es update-elasticsearch-domain --domain-name my-domain --access-policies "{"Cluster": "open", "Node": "open"}"
Using AWS GUI:
To use the AWS Management Console to ensure that your ES and Kibana ports are not exposed to the internet, you can follow these steps:
- Go to the AWS Management Console and sign in to your account.
- Click on the "Elasticsearch Service" service.
- Click on the "Domains" tab.
- Select the domains that you want to update the security settings for.
- Click on the "Security" tab.
- Update the "Access Policy" for the domains to "open" for the "Cluster" and "Node" types.
Backout Plan:
To back out of this policy, you can follow these steps:
- Update the "Access Policy" for your ES and Kibana clusters to allow inbound traffic from the internet.
- Delete the security group that you created in the "Implementation Plan" section.
Note:
- This policy does not apply to ES and Kibana clusters that are running in a VPC.
Reference:
- AWS Elasticsearch Service documentation: https://docs.aws.amazon.com/elasticsearch-service/
- AWS Elasticsearch Service security best practices: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/security.html
Section 2:
- Tags: security, ports, es, kibana
- Keywords: es, kibana, ports, security, access