Control: AWS > PCI v3.2.1 > Elasticsearch > 1 Amazon Elasticsearch Service domains should be in a VPC

This control checks whether Amazon Elasticsearch Service domains are in a VPC.

It does not evaluate the VPC subnet routing configuration to determine public reachability.

This AWS control also does not check whether the Amazon ES resource-based policy permits public access by other accounts or external entities. You should ensure that Amazon ES domains are not attached to public subnets. See Resource-based policies in the Amazon Elasticsearch Service Developer Guide.

Remediation

If you create a domain with a public endpoint, you cannot later place it within a VPC. Instead, you must create a new domain and migrate your data.

The reverse is also true. If you create a domain within a VPC, it cannot have a public endpoint. Instead, you must either create another domain or disable this control.

See the information on migrating from public access to VPC access in the Amazon Elasticsearch Service Developer Guide.

PCI requirement(s): 1.2.1, 1.3.1, 1.3.2, 1.3.4, 1.3.6

Resource Types

This control targets the following resource types:

AWS > Elasticsearch > Domain

Policies

This control type relies on these other policies when running actions:

AWS > PCI v3.2.1

In Your Workspace

Developers

Control Type URI

tmod:@turbot/aws-pciv3-2-1#/control/types/esDomainInVpc

Category URI

tmod:@turbot/turbot#/control/categories/compliancePci

GraphQL

query controlType(id: "tmod:@turbot/aws-pciv3-2-1#/control/types/esDomainInVpc") { … }

query controls(filter: "controlTypeId:'tmod:@turbot/aws-pciv3-2-1#/control/types/esDomainInVpc'") { … }

CLI

Get Controls

turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/esDomainInVpc"