Elasticsearch/OpenSearch domains can either be created with a public endpoint or with a VPC configuration that enables internal VPC communication. If not required to be openly accessible, domains should be created without a public endpoint to prevent arbitrary public access to the domain.
Elasticsearch/OpenSearch, when set to public, exposes the endpoint on TCP port 443. Kibana dashboards can be accessed by using the /_plugin/kibana
route on the URL endpoint. Although authentication is present either via SSO, AWS Cognito or plain HTTP Basic Authentication, the exposure of this endpoint is a cause for concern as the authentication can be attacked as a separate vector.
Log in to the AWS Management Console and navigate to OpenSearch Service.
Select the ES domain that you want to relaunch.
On ES domain’s description page, click on the Cluster Configuration button
On the Cluster Configuration page, copy the selected cluster configuration information such as Instance count, Instance type, Dedicated master instance type, Dedicated master instance count, Storage Type, EBS volume size, etc. Also, copy the Access policy.
With above-copied configuration create a new domain. On setting up page of the new domain under Network configuration section, select the VPC access option to launch the domain within a VPC, and then select the VPC identifier from the VPC dropdown list, and available subnet from the Subnets list and one or multiple security groups from Security Groups dropdown list.
Click Create to launch the new AWS Elasticsearch domain within the specified VPC.
Once the new AWS ES domain is created, upload the data from the source cluster (domain) to the new ES cluster.
Remove the publicly accessible domain by selecting the domain and click on the Delete button.
List the selected domain (cluster) configuration information of the domain you want to relaunch
aws es describe-elasticsearch-domain --region <value> --domain-name <value>
Use the configuration metadata returned in the previous step to relaunch the selected Amazon Elasticsearch domain into an AWS Virtual Private Cloud
aws es create-elasticsearch-domain
--region <value>
--domain-name <value>
--elasticsearch-version <value>
--elasticsearch-cluster-config InstanceType=<value>,InstanceCount=<value>
--ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=<value>
--vpc-options SubnetIds=<value>,SecurityGroupIds=<value>
Once the new domain is launched, delete the publicly accessible domain
aws es delete-elasticsearch-domain --region <value> --domain-name <value>