Profile Applicability:

Level 1

Description:

Elasticsearch and Kibana are commonly used for log management, search, and analytics. These services, however, should not be exposed directly to the internet unless absolutely necessary. Security Groups in AWS allow you to control inbound and outbound traffic to resources such as Elasticsearch clusters and Kibana dashboards. To minimize the attack surface, ingress traffic to the Elasticsearch/Kibana ports (typically port 9200 for Elasticsearch and port 5601 for Kibana) should not be allowed from the internet (0.0.0.0/0 or ::/0). This SOP ensures that no security groups are configured to expose Elasticsearch/Kibana to unauthorized access.

Rationale:

Allowing open ingress to Elasticsearch and Kibana ports from the public internet (0.0.0.0/0 or ::/0) poses a significant security risk. These services often contain sensitive data and should be protected from unauthorized access. Limiting access to these ports to only trusted IP ranges or internal resources (e.g., VPC, VPN, or Load Balancer) ensures that only authorized users can interact with these services.

Impact:

Pros:

  • Increased Security: Restricting access ensures that Elasticsearch and Kibana are not exposed to the internet, reducing the risk of unauthorized access and potential exploits.

  • Compliance: Meets security standards and best practices for data protection.

  • Reduced Attack Surface: Limiting access to trusted IP ranges or internal resources minimizes exposure to potential threats.

Cons:

  • Limited External Access: If external access to Elasticsearch or Kibana is required (e.g., for support teams or third-party integrations), additional configurations such as VPN, SSH tunneling, or private IP access may be needed.

Default Value:

By default, security groups might allow ingress from 0.0.0.0/0 (open access) or ::/0 (open access for IPv6) to Elasticsearch and Kibana ports unless they are properly configured to restrict access.

Pre-requisite:

  • AWS IAM permissions:

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroupRules

  • AWS CLI installed and configured.

  • Familiarity with Elasticsearch, Kibana, and AWS security groups.

Remediation Steps

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the left-hand navigation pane, click on Security Groups under Network & Security.

  4. Identify the Security Groups associated with your Elasticsearch and Kibana instances.

  5. Review the Inbound Rules for each security group.

    • Ensure that ports 9200 (Elasticsearch) and 5601 (Kibana) are not open to 0.0.0.0/0 or ::/0.

    • If these ports are open to the internet, remove the rule allowing ingress from 0.0.0.0/0 or ::/0.

  6. Modify the rule to restrict access to trusted internal IP addresses or subnets if needed.

Using AWS CLI:

To list all security groups and their associated inbound rules, use the following command:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`9200` || ToPort==`5601`]}'

  • This command will display security groups that allow inbound traffic to Elasticsearch/Kibana ports (9200/5601).

To view the security group details and check for open ingress rules, use:

aws ec2 describe-security-groups --group-id <Security-Group-ID> --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[*].{Port:ToPort,Cidr:CidrIp}}' --output table

If the Security Group has ingress rules that allow traffic from 0.0.0.0/0 or ::/0 to ports 9200 or 5601, revoke those rules:

aws ec2 revoke-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 9200 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 5601 --cidr 0.0.0.0/0

If access is needed, modify the security group rules to allow access from trusted sources:

aws ec2 authorize-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 9200 --cidr <trusted-ip-range>
aws ec2 authorize-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 5601 --cidr <trusted-ip-range>

Implementation Steps:

Using AWS Console:

  1. Open the AWS Management Console and navigate to EC2.

  2. Go to Security Groups under Network & Security.

  3. Select the Security Groups associated with Elasticsearch and Kibana.

  4. In the Inbound Rules section, check for rules allowing traffic to ports 9200 and 5601 from 0.0.0.0/0 or ::/0.

  5. If found, click Edit inbound rules and remove these open rules.

  6. Add more restrictive access rules, such as limiting access to specific trusted IP ranges, VPC subnets, or VPN IPs.

  7. Save the updated security group rules.

Using AWS CLI:

List the Security Groups associated with your EC2 instances:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,InboundRules:IpPermissions[?ToPort==`9200` || ToPort==`5601`]}'

Remove any open inbound rules allowing access to ports 9200 or 5601 from 0.0.0.0/0 or ::/0:

aws ec2 revoke-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 9200 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 5601 --cidr 0.0.0.0/0

Add more restrictive access rules (if necessary):

aws ec2 authorize-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 9200 --cidr <trusted-ip-range>
aws ec2 authorize-security-group-ingress --group-id <Security-Group-ID> --protocol tcp --port 5601 --cidr <trusted-ip-range>

Backout Plan:

Using AWS Management Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 > Security Groups.

  3. Identify the security group associated with Elasticsearch/Kibana.

  4. Edit the inbound rules:

    • Locate rules allowing ingress from 0.0.0.0/0 or ::/0 to ports used by Elasticsearch/Kibana (e.g., 9200, 5601).

    • Remove or modify these rules to restrict access to specific IP ranges or trusted networks.

  5. Save the changes and verify connectivity.

Using AWS CLI:

List the security groups and their inbound rules:

aws ec2 describe-security-groups --group-ids <security-group-id>
Remove rules allowing ingress from 0.0.0.0/0 or ::/0:
aws ec2 revoke-security-group-ingress \
--group-id <security-group-id> \
--protocol tcp \
--port <port-number> \
--cidr 0.0.0.0/0

  1. Verify the updated rules:

    aws ec2 describe-security-groups --group-ids <security-group-id>

Note :

If Elasticsearch and Kibana need to be accessed remotely, consider using VPN, SSH tunneling, or PrivateLink for secure access without exposing ports to the internet. Additionally, ensure that authentication mechanisms like IAM policies, SSL/TLS encryption, and API keys are configured properly to secure the access

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.