Skip to main content

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the ElasticSearch misconfiguration of using HTTPS only in AWS using the AWS console, you can follow the below steps:
  1. Log in to the AWS Management Console and navigate to the ElasticSearch service.
  2. Select the misconfigured ElasticSearch domain.
  3. In the domain dashboard, click on the “Edit” button in the “Encryption” section.
  4. In the “Encryption” section, select the “Require HTTPS” option.
  5. Click on the “Save Changes” button to apply the new configuration.
  6. Once the changes are saved, ElasticSearch will only be accessible through HTTPS.
  7. Verify the changes by attempting to access the ElasticSearch domain using HTTP. It should not be accessible and should return an error message.
By following these steps, you can remediate the misconfiguration of ElasticSearch not using HTTPS only in AWS.

To remediate the ElasticSearch misconfiguration of using HTTPS only in AWS using AWS CLI, you can follow the below steps:
  1. Open the AWS CLI and run the following command to get the current status of the ElasticSearch domain: 
    aws es describe-elasticsearch-domain --domain-name <domain-name>
    Replace <domain-name> with the name of your ElasticSearch domain.
  2. Check the output of the above command for the value of the EncryptionAtRestOptions parameter. If it is not set to Enabled, then run the following command to enable encryption at rest: 
    aws es update-elasticsearch-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=true
    Replace <domain-name> with the name of your ElasticSearch domain.
  3. Next, run the following command to update the ElasticSearch domain to use HTTPS only: 
    aws es update-elasticsearch-domain-config --domain-name <domain-name> --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=false,MasterUserOptions.Enabled=false,NodeToNodeEncryptionOptions.Enabled=false,EncryptionAtRestOptions.Enabled=true,HTTPSEnabled=true
    Replace <domain-name> with the name of your ElasticSearch domain.
  4. After running the above command, wait for a few minutes for the changes to take effect. You can check the status of the ElasticSearch domain again by running the describe-elasticsearch-domain command. 
    aws es describe-elasticsearch-domain --domain-name <domain-name>
    If the output of this command shows that the HTTPSEnabled parameter is set to true, then the ElasticSearch domain is now using HTTPS only.
By following these steps, you can remediate the ElasticSearch misconfiguration of using HTTPS only in AWS using AWS CLI.
To remediate this misconfiguration on AWS using Python, you can follow the steps below:
  1. Install the AWS SDK for Python (Boto3) by running the following command in your terminal:
pip install boto3
  1. Create an AWS ElasticSearch client using the Boto3 library:
import boto3

es_client = boto3.client('es')
  1. Get the ElasticSearch domain configuration using the describe_elasticsearch_domain method:
domain_name = 'your-domain-name'
domain_config = es_client.describe_elasticsearch_domain(DomainName=domain_name)
  1. Check if the ElasticSearch domain is using HTTPS only by looking at the DomainStatus dictionary:
domain_status = domain_config['DomainStatus']
if domain_status['EncryptionAtRestOptions']['Enabled'] and domain_status['NodeToNodeEncryptionOptions']['Enabled'] and domain_status['AdvancedSecurityOptions']['Enabled']:
    print('ElasticSearch domain is already using HTTPS only')
else:
    # Remediate the misconfiguration
  1. If the ElasticSearch domain is not using HTTPS only, update the domain configuration using the update_elasticsearch_domain_config method:
from botocore.exceptions import ClientError

try:
    response = es_client.update_elasticsearch_domain_config(
        DomainName=domain_name,
        AdvancedSecurityOptions={
            'Enabled': True,
            'InternalUserDatabaseEnabled': False,
            'MasterUserOptions': {
                'MasterUserARN': 'arn:aws:iam::123456789012:user/elasticsearch-master-user',
                'MasterUserName': 'elasticsearch-master-user',
                'MasterUserPassword': 'your-password'
            }
        }
    )
    print('ElasticSearch domain configuration updated successfully')
except ClientError as e:
    print('Error updating ElasticSearch domain configuration: {}'.format(e))
  1. Verify that the ElasticSearch domain is now using HTTPS only by checking the DomainStatus dictionary again:
domain_config = es_client.describe_elasticsearch_domain(DomainName=domain_name)
domain_status = domain_config['DomainStatus']
if domain_status['EncryptionAtRestOptions']['Enabled'] and domain_status['NodeToNodeEncryptionOptions']['Enabled'] and domain_status['AdvancedSecurityOptions']['Enabled']:
    print('ElasticSearch domain is now using HTTPS only')
else:
    print('Failed to remediate ElasticSearch misconfiguration')
Note: In the code above, we assume that the ElasticSearch domain is not using VPC and that you have an IAM user with the necessary permissions to update the ElasticSearch domain configuration. Also, make sure to replace your-domain-name and your-password with the actual values for your ElasticSearch domain.
I