AWS ElasticSearch Cluster Not In A VPC

VPC support for Amazon ES is easy to configure, reliable, and offers an extra layer of security. With VPC support, traffic between other services and Amazon ES stays entirely within the AWS network, isolated from the public Internet. You can manage network access using existing VPC security groups, and you can use AWS Identity and Access Management (IAM) policies for additional protection. VPC support for Amazon ES domains is available at no additional charge.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform, CloudFormation

Build Rules

AWS ElasticSearch cluster not in a VPC.
JSON Queries:
CloudFormation
$.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null)
Terraform
$.resource[*].aws_elasticsearch_domain exists and $.resource[*].aws_elasticsearch_domain[*].*[*].vpc_options does not exist
Recommendations:
  • CloudFormation
    Recommended solution having Elastic Cluster inside a VPC.
    It is recommended to have Elastic Cluster inside a VPC. Please make sure that "VPCOptions" block exists and it has "subnetIds" defined.
    For example:
    "ElasticsearchDomain": { "Type": "AWS::Elasticsearch::Domain", "Properties": { "VPCOptions": { "SubnetIds": [{ "Ref": "subnet" }], "SecurityGroupIds": [{ "Ref": "mySecurityGroup" }] } } }
  • Terraform
    Recommended solution making sure that AWS ElasticSearch cluster is in a VPC.
    It is recommended to have AWS ElasticSearch cluster run in a VPC. Please make sure your template has the "vpc_options" block defined in the "aws_elasticsearch_domain".
    For example:
    "aws_elasticsearch_domain": [ { "<elasticsearch_domain_name>": [ { "vpc_options": [ { "security_group_ids": [ "${aws_security_group.elasticsearch.id}" ], "subnet_ids": [ "${data.aws_subnet_ids.selected.ids[0]}", "${data.aws_subnet_ids.selected.ids[1]}" ] } ] } ] } ]

Run Rule Recommendation

When you create a ES domain, you specify whether it should have a public endpoint or reside within a VPC. Once created, you cannot switch from one to the other. Instead, you must create a new domain and either manually reindex or migrate your data.

Compliance

There are 2 standards that are applicable to this policy:
  • PIPEDA
  • CCPA 2018

Recommended For You