The Elasticsearch domain should block unsigned requests over the public internet このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description Update publicly accessible Amazon Elasticsearch domains to block unsigned requests.
Rationale Updating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.
OpenSearch If you are using OpenSearch Service Domains, refer to Amazon’s guide for creating and managing Amazon OpenSearch Service domains for both console and CLI remediation actions.
From the console Follow the Configuring Access Policies docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.
From the command line Create a new policy JSON document. You can follow the Amazon Elasticsearch templated policy to create a custom policy that grants domain access only to a specific IP.
Copy
{
...
"Statement" : [
...
"Action" : "es:*" ,
"Condition" : {
"IpAddress" : {
"aws:SourceIp" : [
"54.197.25.93/32"
]
}
} ,
"Resource" : "arn:aws:es:123456789123:
domain/es-cluster/*"
}
]
}
Run update-elasticsearch-domain-config
using the name of the Elasticsearch domain created in the previous step.
Copy
aws es update-elasticsearch-domain-config
--domain-name es-cluster
--access-policies file://ip-based-policy.json