Ensure no security groups allow ingress from 0.0.0.0/0 to Elastic Search port 9200

Description:

Security groups act as virtual firewalls for Amazon EC2 instances and other AWS resources. Allowing unrestricted Elastic Search access (port 9200) from the entire internet (0.0.0.0/0) poses a significant security risk, making resources susceptible to brute-force attacks and unauthorized access. It's critical to restrict Elastic Search access to known and trusted IP addresses or CIDR blocks.


Remediation:

1. Identify Security Groups with Open Elastic Search Access:

AWS Management Console:
  1. Click on the specific security group's ID link.
    Navigate to the Inbound Rules tab.
    Select the rule that allows traffic from 0.0.0.0/0 to port 9200 and click Edit inbound rules.
    Modify the rule to restrict access to trusted IP addresses or CIDR blocks, or remove the rule entirely if it's not needed.
    Click Save rules.
AWS CLI:

To list security groups that have an open Elastic Search rule:

aws ec2 describe-security-groups --query "SecurityGroups[?IpPermissions[?ToPort==`9200` && IpRanges[?CidrIp=='0.0.0.0/0']]]" --output table

2. Modify Inbound Rules:

AWS Management Console:

Follow the steps provided in the previous section.

AWS CLI:

To revoke an open Elastic Search rule for a particular security group:

aws ec2 revoke-security-group-ingress --group-id [SECURITY_GROUP_ID] --protocol tcp --port 9200 --cidr 0.0.0.0/0

Replace [SECURITY_GROUP_ID] with the appropriate security group ID.

Terraform:

To ensure your security group does not have an open Elastic Search rule in Terraform:

resource "aws_security_group" "example" {
  # ... other configurations ...

  ingress {
    from_port   = 9200
    to_port     = 9200
    protocol    = "tcp"
    cidr_blocks = ["trusted_ip/32"]  # Replace 'trusted_ip/32' with your trusted CIDR block
  }

  # ... other configurations ...
}

In the code above, replace the placeholder trusted_ip/32 with your trusted IP or CIDR block. This ensures only the specified IPs can access the resource over Elastic Search.

3. Regularly Monitor and Audit:

Follow the monitoring and auditing steps provided in the previous section.


Recommendation:

It's a best practice to restrict Elastic Search access to specific IP addresses or CIDR blocks that require it. Implementing solutions like AWS Systems Manager Session Manager for secure access without opening Elastic Search ports to the public can enhance security. Ensure regular monitoring and auditing of security group configurations to adhere to security best practices.