Elasticsearch with HTTPS disabled

  • Query id: 2e9e0729-66d5-4148-9d39-5e6fb4bf2a4e
  • Query name: Elasticsearch with HTTPS disabled
  • Platform: Terraform
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
provider "aws" {
  region = "us-west-2"
}

resource "aws_elasticsearch_domain" "example" {
  domain_name           = "my-elasticsearch-domain"
  elasticsearch_version = "7.10"

  cluster_config {
    instance_type = "t2.small.elasticsearch"
    instance_count = 1
    dedicated_master_enabled = false
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "gp2"
    volume_size = 10
  }

  vpc_options {
    subnet_ids         = ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]
    security_group_ids = ["sg-xxxxxxxx"]
  }

  domain_endpoint_options {
    enforce_https = false
  }

  tags = {
    Name        = "my-elasticsearch-domain"
    Environment = "production"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
provider "aws" {
  region = "us-west-2"
}

resource "aws_elasticsearch_domain" "example" {
  domain_name           = "my-elasticsearch-domain"
  elasticsearch_version = "7.10"

  cluster_config {
    instance_type = "t2.small.elasticsearch"
    instance_count = 1
    dedicated_master_enabled = false
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "gp2"
    volume_size = 10
  }

  vpc_options {
    subnet_ids         = ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]
    security_group_ids = ["sg-xxxxxxxx"]
  }

  domain_endpoint_options {
    enforce_https = true
  }

  tags = {
    Name        = "my-elasticsearch-domain"
    Environment = "production"
  }
}