top of page

ES.2

Elasticsearch domains should be in a VPC

Severity

Cloud Platforms

Resources

Related Standards

Automated

CRITICAL

AWS

Amazon Elasticsearch

AWS Foundational Best Practice, CIS v8, PCI DSS v3.2.1, CDR, ISO27001, SOC2, NIST CSF, NIST.800-53.r5,

This control checks whether Elasticsearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public reachability. This AWS control also does not check whether the Amazon OpenSearch Service resource-based policy permits public access by other accounts or external entities. You should ensure that Elasticsearch domains are not attached to public subnets. See Resource-based policies (https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html#es-ac-types-resource) in the Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) Developer Guide. You should also ensure that your VPC is configured according to the recommended best practices. See Security best practices for your VPC (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html) in the Amazon VPC User Guide.

bottom of page