Elasticsearch with HTTPS disabled
- Query id: 4cdc88e6-c0c8-4081-a639-bb3a557cbedf
- Query name: Elasticsearch with HTTPS disabled
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
OpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-opensearch-domain
ElasticsearchVersion: "7.9"
ElasticsearchClusterConfig:
InstanceType: m5.large.search
InstanceCount: 1
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
DomainEndpointOptions:
EnforceHTTPS: false
TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-elasticsearch-domain
ElasticsearchVersion: "7.9"
ElasticsearchClusterConfig:
InstanceType: m5.large.elasticsearch
InstanceCount: 1
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 10
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: es:*
Resource: arn:aws:es:REGION:ACCOUNT_ID:domain/my-elasticsearch-domain/*
DomainEndpointOptions:
TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-elasticsearch-domain
ElasticsearchVersion: "7.9"
ElasticsearchClusterConfig:
InstanceType: m5.large.elasticsearch
InstanceCount: 1
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 10
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: es:*
Resource: arn:aws:es:REGION:ACCOUNT_ID:domain/my-elasticsearch-domain/*
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
OpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-opensearch-domain
ElasticsearchVersion: "7.9"
ElasticsearchClusterConfig:
InstanceType: m5.large.search
InstanceCount: 1
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"