> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Elasticsearch Domains Should Not Allow Cross Account Access

### More Info:

All your Elasticsearch Service (ES) clusters should be configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access

### Risk Level

High

### Address

Security

### Compliance Standards

AWSWAF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the issue of Elasticsearch domains allowing cross-account access in AWS using the AWS console, follow these steps:

        1. Log in to the AWS Management Console.

        2. Navigate to the Elasticsearch service.

        3. Select the Elasticsearch domain that is allowing cross-account access.

        4. Click on the "Access" tab.

        5. In the "Access policies" section, click on the "Edit" button.

        6. Remove any entries that allow cross-account access.

        7. Add a new entry to the access policy that allows access only from trusted accounts.

        8. Click on the "Save changes" button to apply the new access policy.

        9. Verify that the Elasticsearch domain no longer allows cross-account access by attempting to access it from a different AWS account.

        10. Repeat the above steps for any other Elasticsearch domains that are allowing cross-account access.

        By following these steps, you can remediate the issue of Elasticsearch domains allowing cross-account access in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS, you can follow the below steps using AWS CLI:

        1. Open the AWS CLI and run the following command to get the Elasticsearch domain ARN:

           ```
           aws es list-domain-names
           ```

        2. Once you have the Elasticsearch domain ARN, run the following command to update the Elasticsearch domain access policy to restrict cross-account access:

           ```
           aws es update-elasticsearch-domain-config --domain-name <domain-name> --cognito-options Enabled=false --access-policies '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"AWS": "*"},"Action": "es:*","Resource": "<domain-arn>","Condition": {"IpAddress": {"aws:SourceIp": ["<your-ip-address>/32"]}}}]}' 
           ```

           Replace `<domain-name>` with the name of your Elasticsearch domain and `<domain-arn>` with the ARN of your Elasticsearch domain.

        3. Verify that the access policy has been updated by running the following command:

           ```
           aws es describe-elasticsearch-domain-config --domain-name <domain-name>
           ```

           This command will return the current configuration of the Elasticsearch domain.

        By following these steps, you can successfully remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the Elasticsearch Domains Should Not Allow Cross Account Access misconfiguration in AWS using Python, you can follow these steps:

        1. Create a new Elasticsearch Domain Policy that restricts cross-account access.

        ```python theme={null}
        import boto3
        import json

        client = boto3.client('es')

        # Define the new Elasticsearch Domain Policy
        policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Principal": {
                        "AWS": "*"
                    },
                    "Action": "es:*",
                    "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*",
                    "Condition": {
                        "StringNotEquals": {
                            "aws:PrincipalArn": [
                                "arn:aws:iam::123456789012:root",
                                "arn:aws:sts::123456789012:assumed-role/MyRole/*"
                            ]
                        }
                    }
                }
            ]
        }

        # Convert the policy to a JSON string
        policy_json = json.dumps(policy)

        # Update the Elasticsearch Domain Policy
        response = client.update_elasticsearch_domain_config(
            DomainName='my-domain',
            ElasticsearchClusterConfig={
                'InstanceType': 'm3.medium.elasticsearch',
                'InstanceCount': 2,
                'DedicatedMasterEnabled': False,
                'ZoneAwarenessEnabled': False
            },
            EBSOptions={
                'EBSEnabled': True,
                'VolumeType': 'gp2',
                'VolumeSize': 10
            },
            ElasticsearchVersion='7.1',
            AccessPolicies=policy_json
        )
        ```

        2. Replace the existing Elasticsearch Domain Policy with the new policy.

        ```python theme={null}
        import boto3
        import json

        client = boto3.client('es')

        # Get the existing Elasticsearch Domain Policy
        response = client.describe_elasticsearch_domain_config(DomainName='my-domain')
        existing_policy_json = response['DomainConfig']['AccessPolicies']

        # Parse the existing policy JSON string
        existing_policy = json.loads(existing_policy_json)

        # Modify the policy to restrict cross-account access
        modified_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Principal": {
                        "AWS": "*"
                    },
                    "Action": "es:*",
                    "Resource": "arn:aws:es:us-west-2:123456789012:domain/my-domain/*",
                    "Condition": {
                        "StringNotEquals": {
                            "aws:PrincipalArn": [
                                "arn:aws:iam::123456789012:root",
                                "arn:aws:sts::123456789012:assumed-role/MyRole/*"
                            ]
                        }
                    }
                }
            ]
        }

        # Convert the modified policy to a JSON string
        modified_policy_json = json.dumps(modified_policy)

        # Update the Elasticsearch Domain Policy
        response = client.update_elasticsearch_domain_config(
            DomainName='my-domain',
            ElasticsearchClusterConfig={
                'InstanceType': 'm3.medium.elasticsearch',
                'InstanceCount': 2,
                'DedicatedMasterEnabled': False,
                'ZoneAwarenessEnabled': False
            },
            EBSOptions={
                'EBSEnabled': True,
                'VolumeType': 'gp2',
                'VolumeSize': 10
            },
            ElasticsearchVersion='7.1',
            AccessPolicies=modified_policy_json
        )
        ```

        Note: Replace the `DomainName` and `Resource` ARNs in the policy with your own Elasticsearch Domain and ARNs. Also, replace the `PrincipalArn` values in the policy with the ARNs of the IAM users or roles that should have access to the domain.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/](https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/)
