Kloudle
academy

Restricting access to Elasticsearch/Opensearch service

Riyaz Walikar
#aws#cloudsecurity#elasticsearch#openSearch
Feature image

Introduction

Elasticsearch/OpenSearch domains can either be created with a public endpoint or with a VPC configuration that enables internal VPC communication. If not required to be openly accessible, domains should be created without a public endpoint to prevent arbitrary public access to the domain.

Elasticsearch/OpenSearch, when set to public, exposes the endpoint on TCP port 443. Kibana dashboards can be accessed by using the /_plugin/kibana route on the URL endpoint. Although authentication is present either via SSO, AWS Cognito or plain HTTP Basic Authentication, the exposure of this endpoint is a cause for concern as the authentication can be attacked as a separate vector.

Steps to configure the ElasticSearch/OpenSearch domain to use a VPC endpoint using AWS console

  1. Log in to the AWS Management Console and navigate to OpenSearch Service.

  2. Select the ES domain that you want to relaunch.

  3. On ES domain’s description page, click on the Cluster Configuration button

    ES domain Cluster Configuration

  4. On the Cluster Configuration page, copy the selected cluster configuration information such as Instance count, Instance type, Dedicated master instance type, Dedicated master instance count, Storage Type, EBS volume size, etc. Also, copy the Access policy.

  5. With above-copied configuration create a new domain. On setting up page of the new domain under Network configuration section, select the VPC access option to launch the domain within a VPC, and then select the VPC identifier from the VPC dropdown list, and available subnet from the Subnets list and one or multiple security groups from Security Groups dropdown list.

    Elasticsearch cluster network Configuration

  6. Click Create to launch the new AWS Elasticsearch domain within the specified VPC.

  7. Once the new AWS ES domain is created, upload the data from the source cluster (domain) to the new ES cluster.

  8. Remove the publicly accessible domain by selecting the domain and click on the Delete button.

    Delete Elasticsearch public domain

Steps to configure the ElasticSearch/OpenSearch domain to use a VPC endpoint using AWS CLI

  1. List the selected domain (cluster) configuration information of the domain you want to relaunch

    aws es describe-elasticsearch-domain --region <value> --domain-name <value>

  2. Use the configuration metadata returned in the previous step to relaunch the selected Amazon Elasticsearch domain into an AWS Virtual Private Cloud

    aws es create-elasticsearch-domain
    --region &lt;value>
    --domain-name &lt;value>
    --elasticsearch-version &lt;value>
    --elasticsearch-cluster-config InstanceType=&lt;value>,InstanceCount=&lt;value>
    --ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=&lt;value>
    --vpc-options SubnetIds=&lt;value>,SecurityGroupIds=&lt;value>

  3. Once the new domain is launched, delete the publicly accessible domain

    aws es delete-elasticsearch-domain --region <value> --domain-name <value>
← Back to Academy