~ 3 min read

Restricting access to Elasticsearch / Opensearch service

Elasticsearch/OpenSearch domains that are not required to be openly accessible should be created without a public endpoint to prevent arbitrary public access to the domain.

Elasticsearch/OpenSearch domains can either be created with a public endpoint or with a VPC configuration that enables internal VPC communication. If not required to be openly accessible, domains should be created without a public endpoint to prevent arbitrary public access to the domain.

Elasticsearch/OpenSearch, when set to public, exposes the endpoint on TCP port 443. Kibana dashboards can be accessed by using the /\_plugin/kibana route on the URL endpoint. Although authentication is present either via SSO, AWS Cognito or plain on HTTP Basic Authentication, the exposure of this endpoint is a cause for concern as the authentication can be attacked as a separate vector.

‍

Steps to configure the ElasticSearch/OpenSearch domain to use a VPC endpoint using AWS console

‍

  1. Log in to the AWS Management Console and navigate to OpenSearch Service.

  2. Select the ES domain that you want to relaunch.

  3. On ES domain’s description page, click on the Cluster Configuration button

‍

3. On ES domain's description page, click on the Cluster Configuration button‍

  1. On the Cluster Configuration page, copy the selected cluster configuration information such as Instance count, Instance type, Dedicated master instance type, Dedicated master instance count, Storage Type, EBS volume size, etc. Also, copy the Access policy.

  2. With above-copied configuration create a new domain. On setting up page of the new domain under Network configuration section, select the VPC access option to launch the domain within a VPC, and then select the VPC identifier from the VPC dropdown list, and available subnet from the Subnets list and one or multiple security groups from Security Groups dropdown list.

‍

On setting up page of the new domain under Network configuration section, select the VPC access option to launch the domain within a VPC‍

  1. Click Create to launch the new AWS Elasticsearch domain within the specified VPC.

  2. Once the new AWS ES domain is created, upload the data from the source cluster (domain) to the new ES cluster.

  3. Remove the publicly accessible domain by selecting the domain and click on the Delete button. 

‍

‍

Steps to configure the ElasticSearch/OpenSearch domain to use a VPC endpoint using AWS CLI

‍

  1. List the selected domain (cluster) configuration information of the domain you want to relaunch

‍

‍

  1. Use the configuration metadata returned in the previous step to relaunch the selected Amazon Elasticsearch domain into an AWS Virtual Private Cloud

‍

‍

  1. Once the new domain is launched, delete the publicly accessible domain

‍

;