Ensure that Elasticsearch is configured inside a VPC

Error: AWS ElasticSearch cluster is not in a VPC

Bridgecrew Policy ID: BC_AWS_NETWORKING_42
Checkov Check ID: CKV_AWS_137
Severity: LOW

AWS ElasticSearch cluster is not in a VPC


AWS Elasticsearch domains that reside within a VPC have an extra layer of security when compared to ES domains that use public endpoints. Launching an Amazon ES cluster within an AWS VPC enables secure communication between the ES cluster (domain) and other AWS services without the need for an Internet Gateway, a NAT device or a VPN connection and all traffic remains secure within the AWS Cloud.

Fix - Buildtime


  • Resource: aws_elasticsearch_domain
  • Argument: vpc_options
resource "aws_elasticsearch_domain" "es" {
          domain_name           = var.domain
          elasticsearch_version = "6.3"
          cluster_config {
            instance_type = "m4.large.elasticsearch"
+         vpc_options {
+           subnet_ids = [
+             data.aws_subnet_ids.selected.ids[0],
+             data.aws_subnet_ids.selected.ids[1],
+           ]
            security_group_ids = [aws_security_group.es.id]