Skip to main content

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the ElasticSearch domain misconfiguration in AWS, follow these steps:
  1. Open the AWS Management Console and navigate to the Amazon ElasticSearch Service.
  2. Select the ElasticSearch domain that you want to remediate.
  3. Click on the “Modify” button in the “Actions” dropdown menu.
  4. Scroll down to the “Network Configuration” section.
  5. Under the “VPC Options” tab, enable the “VPC Access” option.
  6. Select the VPC that you want to use for private access to your ElasticSearch domain.
  7. Choose the subnets that you want to use for private access to your ElasticSearch domain.
  8. Select the security groups that you want to use for private access to your ElasticSearch domain.
  9. Click on the “Save Changes” button to apply the changes.
  10. Verify that the ElasticSearch domain is now using private VPC endpoints by checking the “Endpoint” section in the domain details page. The endpoint should now show as a private IP address.
By following these steps, you have successfully remediated the ElasticSearch domain misconfiguration by launching it with private VPC endpoints in AWS.

To remediate the ElasticSearch Domains should be launched with private VPC endpoints in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your computer.
  2. Run the following command to create a new VPC endpoint for ElasticSearch: 
aws ec2 create-vpc-endpoint --vpc-id <vpc-id> --service-name com.amazonaws.<region>.es --route-table-ids <route-table-id> --subnet-ids <subnet-id> --security-group-ids <security-group-id>
Replace <vpc-id> with the ID of the VPC that contains your ElasticSearch domain. Replace <region> with the region where your ElasticSearch domain is located. Replace <route-table-id> with the ID of the route table that is associated with your subnet. Replace <subnet-id> with the ID of the subnet that contains your ElasticSearch domain. Replace <security-group-id> with the ID of the security group that is associated with your ElasticSearch domain.
  1. Run the following command to modify your ElasticSearch domain to use the VPC endpoint:
aws es modify-elasticsearch-domain-config --domain-name <domain-name> --vpc-options SubnetIds=<subnet-id>,SecurityGroupIds=<security-group-id>
Replace <domain-name> with the name of your ElasticSearch domain. Replace <subnet-id> with the ID of the subnet that contains your ElasticSearch domain. Replace <security-group-id> with the ID of the security group that is associated with your ElasticSearch domain.
  1. Verify that your ElasticSearch domain is now using the VPC endpoint by running the following command:
aws es describe-elasticsearch-domain --domain-name <domain-name> --query 'DomainStatus.EndpointOptions.VPCOptions'
This command should return a JSON object that includes the VPC endpoint information.
  1. Repeat these steps for each ElasticSearch domain that you want to remediate.
To remediate this misconfiguration in AWS using Python, you can follow the below steps:
  1. Install the AWS SDK for Python (Boto3) using the following command: 
    pip install boto3
  2. Create an EC2 client using the following code: 
    import boto3

ec2 = boto3.client('ec2')
  3. Get the VPC ID of the VPC where the ElasticSearch domain is launched using the following code: 
    response = ec2.describe_vpcs(Filters=[{'Name': 'tag:Name', 'Values': ['<VPC_NAME>']}])
vpc_id = response['Vpcs'][0]['VpcId']
    Replace <VPC_NAME> with the name of the VPC where the ElasticSearch domain is launched.
  4. Create a VPC endpoint for ElasticSearch using the following code: 
    response = ec2.create_vpc_endpoint(
    VpcEndpointType='Interface',
    VpcId=vpc_id,
    ServiceName='com.amazonaws.<REGION>.es',
    PrivateDnsEnabled=True,
    SecurityGroupIds=['<SECURITY_GROUP_ID>'],
    SubnetIds=['<SUBNET_ID>']
)
    Replace <REGION> with the AWS region where the ElasticSearch domain is launched, <SECURITY_GROUP_ID> with the ID of the security group that allows traffic to the ElasticSearch domain, and <SUBNET_ID> with the ID of the subnet where the ElasticSearch domain is launched.
  5. Update the ElasticSearch domain to use the VPC endpoint by setting the VPCOptions parameter using the following code: 
    import boto3

es = boto3.client('es')

response = es.update_elasticsearch_domain_config(
    DomainName='<DOMAIN_NAME>',
    ElasticsearchClusterConfig={
        'DedicatedMasterEnabled': False,
        'InstanceCount': 1,
        'InstanceType': '<INSTANCE_TYPE>',
        'ZoneAwarenessEnabled': False
    },
    EBSOptions={
        'EBSEnabled': True,
        'VolumeSize': 10,
        'VolumeType': 'gp2'
    },
    VPCOptions={
        'SubnetIds': ['<SUBNET_ID>'],
        'SecurityGroupIds': ['<SECURITY_GROUP_ID>'],
        'VpcId': vpc_id
    },
    CognitoOptions={
        'Enabled': False
    },
    AdvancedOptions={
        'rest.action.multi.allow_explicit_index': 'true'
    }
)
    Replace <DOMAIN_NAME> with the name of the ElasticSearch domain, <INSTANCE_TYPE> with the desired instance type for the ElasticSearch cluster, <SUBNET_ID> with the ID of the subnet where the ElasticSearch domain is launched, and <SECURITY_GROUP_ID> with the ID of the security group that allows traffic to the ElasticSearch domain.
  6. Verify that the ElasticSearch domain is now using the VPC endpoint by checking the VPCOptions parameter using the following code: 
    response = es.describe_elasticsearch_domain_config(
    DomainName='<DOMAIN_NAME>'
)

vpc_options = response['DomainConfig']['VPCOptions']
print(vpc_options)
    Replace <DOMAIN_NAME> with the name of the ElasticSearch domain.
By following these steps, you can remediate the misconfiguration of ElasticSearch domains not being launched with private VPC endpoints in AWS using Python.