Elasticsearch with HTTPS disabled

  • Query id: 4cdc88e6-c0c8-4081-a639-bb3a557cbedf
  • Query name: Elasticsearch with HTTPS disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Amazon Elasticsearch does not have encryption for its domains enabled. To prevent such a scenario, update the attribute 'EnforceHTTPS' to true.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: my-opensearch-domain
      ElasticsearchVersion: "7.9"
      ElasticsearchClusterConfig:
        InstanceType: m5.large.search
        InstanceCount: 1
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: "true"
      DomainEndpointOptions:
        EnforceHTTPS: false
        TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
  ElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: my-elasticsearch-domain
      ElasticsearchVersion: "7.9"
      ElasticsearchClusterConfig:
        InstanceType: m5.large.elasticsearch
        InstanceCount: 1
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp2
        VolumeSize: 10
      AccessPolicies:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "*"
            Action: es:*
            Resource: arn:aws:es:REGION:ACCOUNT_ID:domain/my-elasticsearch-domain/*
      DomainEndpointOptions:
        TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
  ElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: my-elasticsearch-domain
      ElasticsearchVersion: "7.9"
      ElasticsearchClusterConfig:
        InstanceType: m5.large.elasticsearch
        InstanceCount: 1
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp2
        VolumeSize: 10
      AccessPolicies:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: "*"
            Action: es:*
            Resource: arn:aws:es:REGION:ACCOUNT_ID:domain/my-elasticsearch-domain/*

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: description
Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: my-opensearch-domain
      ElasticsearchVersion: "7.9"
      ElasticsearchClusterConfig:
        InstanceType: m5.large.search
        InstanceCount: 1
      AdvancedOptions:
        rest.action.multi.allow_explicit_index: "true"
      DomainEndpointOptions:
        EnforceHTTPS: true
        TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"