[ES.2]
Elasticsearch domains should be in a VPC
Description
All Elastic Search domains must be in a VPC (virtual private cloud). When ES domains are deployed in a VPC, they can communicate with other resources in the VPC without using the public internet, thus keeping data secure during transfer. This control is COMPLIANT when ES domains are deployed in a VPC.
Details
| Property | Value |
|---|---|
| Category | Protect > Secure network configuration > Resources within VPC |
| Compliance Control ID | ES.2 |
| FortifyFox ID | FF100001 |
| Link | ES.2 Compliance |
| Resource Type(s) | AWS::Elasticsearch::Domain |
| Severity | Critical |
Remediation
Use the following CloudFormation templates to deploy an ES domain compliant with ES.2
YAML Template
Resources:
esVPC:
Type: AWS::EC2::VPC
esSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref esVPC
esDomain:
Type: AWS::Elasticsearch::Domain
Properties:
VPCOptions:
SubnetIds:
- !Ref esSubnet
JSON Template
{
"Resources": {
"esVPC": {
"Type": "AWS::EC2::VPC"
},
"esSubnet": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"VpcId": {
"Ref": "esVPC"
}
}
},
"esDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"VPCOptions": {
"SubnetIds": [
{
"Ref": "esSubnet"
}
]
}
}
}
}
}
📓 Notes
- You must have created a valid IAM Service Linked Role for ES
- If you have an existing VPC and Subnet, you can omit the
esVPCandesSubnetresources and replace “esVPC” and “esSubnet” with the ID of your resources.