Ensure Security Group attached to EC2 instance does not allow inbound traffic from all to TCP port 9300 (Elasticsearch)

Error: Security Group attached to EC2 instance allows inbound traffic from all to TCP port 9300 (Elasticsearch)

Bridgecrew Policy ID: BC_AWS_NETWORKING_17
Severity: HIGH

Security Group attached to EC2 instance allows inbound traffic from all to TCP port 9300 (Elasticsearch)

Description

AWS Elasticsearch should not be publicly accessible from the internet to protect data from unauthorized user access, data loss and possible leakage of sensitive data.

Fix - Runtime

Procedure

  1. Change the access control policy and security groups to make the ES endpoint private.
  2. Allow only a specific list of IP addresses.
  3. Once the ElasticSearch endpoint is not publicly accessible Bridgecrew will automatically close the issue.
  4. You can also request exception from the policy violation details page.
  5. SecOps will review and involve DSO if required, granting exception; Bridgecrew will automatically ignore this resource until the expiry of exception.