Checks whether the virtual private clouds (VPCs) associated with an Elasticsearch cluster fall within the VPC range specified by the input parameter of this rule if the input parameter is set, or checks whether the network type of the Elasticsearch cluster is set to VPC if the input parameter is left empty.

Scenarios

We recommend that you purchase an Elasticsearch cluster of the VPC network type to isolate the network and protect the cloud network security.

Risk level

Default risk level: medium.

You can change the risk level as required when you apply this rule.

Compliance evaluation logic

  • If the input parameter is set and the VPCs associated with the Elasticsearch cluster fall within the VPC range specified by the input parameter, the evaluation result is compliant. If the input parameter is left empty but the network type of the Elasticsearch cluster is set to VPC, the evaluation result is compliant.
  • If the input parameter is set but the VPCs associated with the Elasticsearch cluster fall outside the VPC range specified by the input parameter, the evaluation result is non-compliant. If the input parameter is left empty and the network type of the Elasticsearch cluster is set to the classic network, the evaluation result is non-compliant. For more information about how to correct the non-compliant configuration, see Non-compliance remediation.

Rule details

Item Description
Rule name elasticsearch-instance-in-vpc
Rule ID elasticsearch-instance-in-vpc
Tag Elasticsearch and VPC
Automatic remediation Not supported
Trigger type Configuration change
Supported resource type Elasticsearch cluster
Input parameter vpcIds
Note Separate multiple parameter values with commas (,).

Non-compliance remediation

Create an Elasticsearch cluster of the VPC network type. For more information, see Getting Started.