Elasticsearch Without IAM Authentication
- Query id: 5c666ed9-b586-49ab-9873-c495a833b705
- Query name: Elasticsearch Without IAM Authentication
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- CWE: 285
- URL: Github
Description¶
AWS Elasticsearch should ensure IAM Authentication
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates ES
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "test"
ElasticsearchVersion: "7.10"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: true
InstanceCount: "2"
ZoneAwarenessEnabled: true
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EBSOptions:
EBSEnabled: true
Iops: "0"
VolumeSize: "20"
VolumeType: "gp2"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: "*"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs"
Enabled: true
SEARCH_SLOW_LOGS:
CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs"
Enabled: true
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs"
Enabled: true
AdvancedOptions:
rest.action.multi.allow_explicit_index: true
Positive test num. 2 - json file
{
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "test",
"ElasticsearchVersion": "7.10",
"ElasticsearchClusterConfig": {
"DedicatedMasterEnabled": true,
"InstanceCount": "2",
"ZoneAwarenessEnabled": true,
"InstanceType": "m3.medium.elasticsearch",
"DedicatedMasterType": "m3.medium.elasticsearch",
"DedicatedMasterCount": "3"
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": "0",
"VolumeSize": "20",
"VolumeType": "gp2"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*"
}
]
},
"LogPublishingOptions": {
"ES_APPLICATION_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs",
"Enabled": true
},
"SEARCH_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": true
},
"INDEX_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs",
"Enabled": true
}
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": true
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates ES
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "test"
ElasticsearchVersion: "7.10"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: true
InstanceCount: "2"
ZoneAwarenessEnabled: true
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EBSOptions:
EBSEnabled: true
Iops: "0"
VolumeSize: "20"
VolumeType: "gp2"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/es-user"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
LogPublishingOptions:
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs"
Enabled: true
SEARCH_SLOW_LOGS:
CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs"
Enabled: true
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs"
Enabled: true
AdvancedOptions:
rest.action.multi.allow_explicit_index: true
Negative test num. 2 - json file
{
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "test",
"ElasticsearchVersion": "7.10",
"ElasticsearchClusterConfig": {
"DedicatedMasterEnabled": true,
"InstanceCount": "2",
"ZoneAwarenessEnabled": true,
"InstanceType": "m3.medium.elasticsearch",
"DedicatedMasterType": "m3.medium.elasticsearch",
"DedicatedMasterCount": "3"
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": "0",
"VolumeSize": "20",
"VolumeType": "gp2"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/es-user"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*"
}
]
},
"LogPublishingOptions": {
"ES_APPLICATION_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs",
"Enabled": true
},
"SEARCH_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs",
"Enabled": true
},
"INDEX_SLOW_LOGS": {
"CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs",
"Enabled": true
}
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": true
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster"
}