Recreate the domain with VPCOptions, placing its ENIs in private subnets across multiple AZs. Attach a security group that allows only known application and admin sources. Migrate data via snapshot restore into the new VPC-based domain, then cut over. Reach the domain through a VPN, proxy, or bastion rather than a public endpoint.

Compliance Critical severity

AWS Security Hub · ES

ES.2: A legacy Elasticsearch domain is publicly accessible

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub ES.2 check?

ES.2 checks whether a legacy Amazon Elasticsearch domain runs inside a VPC. It passes when the domain has VPCOptions set — its network interfaces live in your subnets, reachable only via private interfaces and attached security groups — and fails when the domain uses a public endpoint instead.

Why does ES.2 matter?

Search clusters make large bodies of data instantly queryable, so they tend to hold the richest concentration of data around: indexed customer records, logs, documents. A public es.amazonaws.com endpoint is continuously swept by automated crawlers, and several of the largest disclosed leaks traced back to open ES domains. A VPC placement lets security groups, not the open web, decide who connects.

How do I fix ES.2?

Recreate the domain with VPCOptions, placing its ENIs in private subnets across multiple AZs.
Attach a security group that allows only known application and admin sources.
Migrate data via snapshot restore into the new VPC-based domain, then cut over.
Reach the domain through a VPN, proxy, or bastion rather than a public endpoint.

Remediation script · bash

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Full walkthrough (console steps, edge cases and verification) in the lesson Move resources into private networks (VPC isolation).

Is ES.2 a false positive?

A domain's public-vs-VPC choice is fixed at creation — you cannot move an existing public domain into a VPC in place, so closing ES.2 means rebuilding the domain.

Full lesson Move resources into private networks (VPC isolation) Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for ES controls ↗ Check your own account for ES.2 →

Part of the learning path Tighten your databases

ES.1 ES domains should encrypt at rest
ES.3 ES should encrypt node-to-node traffic
ES.4 ES error logging to CW should be enabled
ES.5 ES domains should have audit logging
ES.6 ES domains should have >= 3 data nodes
ES.7 ES domains should have >= 3 dedicated master nodes
ES.8 ES should use latest TLS policy