Ensure that Elasticsearch database is not exposed to the internet (ports 9200 and/or 9300)

Overview

Services and databases store data that may be sensitive, protected by law, subject to regulatory requirements or compliance standards.

Review the affected security group and reduce its scope if possible.

We recommend accessing Elasticsearch only from within your VPC.

Remediation guidance

AWS remediation

Restrict Elasticsearch/OpenSearch ports 9200 and 9300 to trusted sources only.

Console

Open affected security group.
Remove 0.0.0.0/0 and ::/0 ingress on ports 9200 and 9300.
Allow only trusted CIDRs or app security groups.

AWS CLI

aws ec2 revoke-security-group-ingress \
  --group-id <sg-id> \
  --ip-permissions IpProtocol=tcp,FromPort=9200,ToPort=9200,IpRanges='[{CidrIp=0.0.0.0/0}]'
aws ec2 revoke-security-group-ingress \
  --group-id <sg-id> \
  --ip-permissions IpProtocol=tcp,FromPort=9300,ToPort=9300,IpRanges='[{CidrIp=0.0.0.0/0}]'

References

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

References for Service-Wide Patterns

AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Potential Elasticsearch database exposed to the internet (ports 9200 and/or 9300)

Connectors

AWS

Covered asset types

SecurityGroup

Expected check: eq []

{ securityGroups(where: {vms_NOT: null, rules_SOME: {direction: "Inbound", AND: [{OR: [{sources_INCLUDES: "cidr:0.0.0.0/0"}, {sources_INCLUDES: "cidr:::/0"}]}, {OR: [{destFromPort_LTE: 9200, destToPort_GTE: 9200}, {destFromPort_LTE: 9300, destToPort_GTE: 9300}]}]}}) {...AssetFragment}}