Elasticsearch with HTTPS disabled

  • Query id: 00603add-7f72-448f-a6c0-9e456a7a3f94
  • Query name: Elasticsearch with HTTPS disabled
  • Platform: Pulumi
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
name: aws
runtime: yaml
description: desc
resources:
  - type: aws.elasticsearch.Domain
    name: my-elasticsearch-domain
    properties:
      elasticsearchVersion: "7.9"
      elasticsearchClusterConfig:
        instanceType: "m5.large.elasticsearch"
        instanceCount: 1
      ebsOptions:
        ebsEnabled: true
        volumeType: "gp2"
        volumeSize: 10
      accessPolicies: |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "*"
              },
              "Action": "es:*",
              "Resource": "arn:aws:es:${config.aws:region}:${aws:accountId}:domain/my-elasticsearch-domain/*"
            }
          ]
        }
      domainEndpointOptions:
        enforceHTTPS: false
        tlsSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
name: aws
runtime: yaml
description: desc
resources:
  - type: aws.elasticsearch.Domain
    name: my-elasticsearch-domain
    properties:
      elasticsearchVersion: "7.9"
      elasticsearchClusterConfig:
        instanceType: "m5.large.elasticsearch"
        instanceCount: 1
      ebsOptions:
        ebsEnabled: true
        volumeType: "gp2"
        volumeSize: 10
      domainEndpointOptions:
        enforceHTTPS: true
        tlsSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"