Elasticsearch with HTTPS disabled
- Query id: 00603add-7f72-448f-a6c0-9e456a7a3f94
- Query name: Elasticsearch with HTTPS disabled
- Platform: Pulumi
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: aws
runtime: yaml
description: desc
resources:
- type: aws.elasticsearch.Domain
name: my-elasticsearch-domain
properties:
elasticsearchVersion: "7.9"
elasticsearchClusterConfig:
instanceType: "m5.large.elasticsearch"
instanceCount: 1
ebsOptions:
ebsEnabled: true
volumeType: "gp2"
volumeSize: 10
accessPolicies: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:${config.aws:region}:${aws:accountId}:domain/my-elasticsearch-domain/*"
}
]
}
domainEndpointOptions:
enforceHTTPS: false
tlsSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: aws
runtime: yaml
description: desc
resources:
- type: aws.elasticsearch.Domain
name: my-elasticsearch-domain
properties:
elasticsearchVersion: "7.9"
elasticsearchClusterConfig:
instanceType: "m5.large.elasticsearch"
instanceCount: 1
ebsOptions:
ebsEnabled: true
volumeType: "gp2"
volumeSize: 10
domainEndpointOptions:
enforceHTTPS: true
tlsSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"