Ensure that Elasticsearch is configured inside a VPC
Error: AWS ElasticSearch cluster is not in a VPC
Bridgecrew Policy ID: BC_AWS_NETWORKING_42
Checkov Check ID: CKV_AWS_137
Severity: LOW
AWS ElasticSearch cluster is not in a VPC
Description
AWS Elasticsearch domains that reside within a VPC have an extra layer of security when compared to ES domains that use public endpoints. Launching an Amazon ES cluster within an AWS VPC enables secure communication between the ES cluster (domain) and other AWS services without the need for an Internet Gateway, a NAT device or a VPN connection and all traffic remains secure within the AWS Cloud.
Fix - Buildtime
Terraform
- Resource: aws_elasticsearch_domain
- Argument: vpc_options
resource "aws_elasticsearch_domain" "es" {
domain_name = var.domain
elasticsearch_version = "6.3"
cluster_config {
instance_type = "m4.large.elasticsearch"
}
+ vpc_options {
+ subnet_ids = [
+ data.aws_subnet_ids.selected.ids[0],
+ data.aws_subnet_ids.selected.ids[1],
+ ]
security_group_ids = [aws_security_group.es.id]
}
}
Updated about 1 year ago