ElasticSearch Access From Unauthorized IP Addresses

This plugin ensures only whitelisted IP addresses can access Amazon OpenSearch domains.

Risk Level: High

Description

This plugin ensures only whitelisted IP addresses can access Amazon OpenSearch domains. ElasticSearch (OpenSearch) domains comprise of data that needs to be queried and centralized logs. Therefore, they should only be accessible only from whitelisted IP addresses to avoid unauthorized access.

About the Service

Amazon OpenSearch: With Amazon OpenSearch, one can analyze, query and visualize petabytes of text and unstructured data. It makes the complex process of performing interactive log analytics, real-time application monitoring, website search, an easy process. Apart from this, Amazon OpenSearch also provides the possibility to capture observability logs and metrics. 

Impact

OpenSearch domains accessible from unauthorized IP pose a serious security threat to the infrastructure. Domains that have restricted IP address control have an extra layer of security. This must be carefully set up. Such misconfigurations can be exploited by the attackers to gain unauthorized access to your data. 

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon OpenSearch Console. You can use this link (https://console.aws.amazon.com/esv3/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Domains from the left panel.
  4. A list of domains will be displayed. Select the domain you want to examine by clicking on it’s name.
  5. Move to the Security Configurations tab.
  6. Examine the Access policy. If the IpAddress['aws:SourceIp'] Condition of the policy has an IP address that is unknown or unauthorized, the vulnerability exists.
  7. Repeat steps 3 to 6 for all the domains you wish to examine.

Steps for Remediation

Modify Elasticsearch domain access policy to allow only known/whitelisted IP addresses.

  1. Log In to your AWS Console.
  2. Open the Amazon OpenSearch Console. You can use this link (https://console.aws.amazon.com/esv3/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Domains from the left panel.
  4. A list of domains will be displayed. Select the vulnerable domain by clicking on it’s name.
  5. Move to the Security Configurations tab.
  6. Click on the Edit button from the top-right corner.
  7. Remove the unknown IP address from the IpAddress['aws:SourceIp'] of the Condition element. Click on Save changes after doing the required changes.
  8. Repeat steps 3 to 7 for all the insecure domains.