Links

AWS Elasticsearch

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Access Control Policy

Design Guidance:

AWS::Elasticsearch::Domain

Access Policies
Terraform
Advanced Security Options-Enabled
Terraform
Cognito Options-Role Arn
Terraform

Identification and Authentication

Design Guidance:

AWS::Elasticsearch::Domain

Advanced Security Options-Internal User Database Enabled
Terraform
Master User Options-Master User Arn
Terraform
Master User Options-Master User Name
Terraform
Master User Options-Master User Password
Terraform
Cognito Options-Enabled
Terraform
Cognito Options-Identity Pool Id
Terraform
Cognito Options-User Pool Id
Terraform

AWS::Elasticsearch::UpdateElasticsearchDomainConfig

SAMLoptions-Enabled
Idp-Entity Id
Idp-Metadata Content
SAMLoptions-Subject Key

TLS

Design Guidance:

AWS::Elasticsearch::Domain

Domain Endpoint Options-Enforce HTTPS
Terraform
Node To Node Encryption Options-Enabled
Terraform
Domain Endpoint Options-TLSsecurity Policy
Terraform

Design for High Availability

Design Guidance:

AWS::Elasticsearch::Domain

Ebsoptions-Ebsenabled
Terraform
Ebsoptions-Iops
Terraform
Ebsoptions-Volume Size
Terraform
Ebsoptions-Volume Type
Terraform
Zone Awareness Config-Availability Zone Count
Terraform
Elasticsearch Cluster Config-Zone Awareness Enabled
Terraform

Transparent Data Encryption

Design Guidance:

AWS::Elasticsearch::Domain

Encryption At Rest Options-Enabled
Terraform

Protect Cryptographic Keys

Design Guidance:

AWS::Elasticsearch::Domain

Encryption At Rest Options-Kms Key Id
Terraform

Logging

Design Guidance:

AWS::Elasticsearch::Domain

[a-z A-z0-9]+-Cloud Watch Logs Log Group Arn
Terraform
[a-z A-z0-9]+-Enabled
Terraform

Backups

Design Guidance:

AWS::Elasticsearch::Domain

Snapshot Options-Automated Snapshot Start Hour
Terraform

Asset Inventory

Design Guidance:

AWS::Elasticsearch::Domain

Tags
Terraform

Firewalls

Design Guidance:

AWS::Elasticsearch::Domain

VPCoptions-Security Group Ids
Terraform

Subnet Isolation

Design Guidance:

AWS::Elasticsearch::Domain

VPCoptions-Subnet Ids
Terraform

Access Policy Enforcement

AWS::Elasticsearch::UpdateElasticsearchDomainConfig

SAMLoptions-Roles Key

Session Limits

AWS::Elasticsearch::UpdateElasticsearchDomainConfig

SAMLoptions-Session Timeout Minutes