ElasticSearch Encryption With KMS Disabled
- Query id: d926aa95-0a04-4abc-b20c-acf54afe38a1
- Query name: ElasticSearch Encryption With KMS Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- CWE: 326
- URL: Github
Description¶
Check if any ElasticSearch domain isn't encrypted with KMS.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "test"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: "true"
InstanceCount: "2"
ZoneAwarenessEnabled: "true"
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EncryptionAtRestOptions:
Enabled: true
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 20
VolumeType: "gp2"
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/es-user"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Positive test num. 2 - json file
{
"Description": "Creates RDS Cluster",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"EncryptionAtRestOptions": {
"Enabled": true
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": 0,
"VolumeSize": 20,
"VolumeType": "gp2"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/es-user"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*"
}
]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"DomainName": "test",
"ElasticsearchClusterConfig": {
"DedicatedMasterType": "m3.medium.elasticsearch",
"DedicatedMasterCount": "3",
"DedicatedMasterEnabled": "true",
"InstanceCount": "2",
"ZoneAwarenessEnabled": "true",
"InstanceType": "m3.medium.elasticsearch"
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster2
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "test"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: "true"
InstanceCount: "2"
ZoneAwarenessEnabled: "true"
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 20
VolumeType: "gp2"
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/es-user"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Positive test num. 4 - json file
{
"Description": "Creates RDS Cluster2",
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"EBSOptions": {
"EBSEnabled": true,
"Iops": 0,
"VolumeSize": 20,
"VolumeType": "gp2"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/es-user"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*"
}
]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"DomainName": "test",
"ElasticsearchClusterConfig": {
"DedicatedMasterType": "m3.medium.elasticsearch",
"DedicatedMasterCount": "3",
"DedicatedMasterEnabled": "true",
"InstanceCount": "2",
"ZoneAwarenessEnabled": "true",
"InstanceType": "m3.medium.elasticsearch"
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
ElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: "test"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: "true"
InstanceCount: "2"
ZoneAwarenessEnabled: "true"
InstanceType: "m3.medium.elasticsearch"
DedicatedMasterType: "m3.medium.elasticsearch"
DedicatedMasterCount: "3"
EncryptionAtRestOptions:
Enabled: true
KmsKeyId: "some-kms-key-id"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 20
VolumeType: "gp2"
SnapshotOptions:
AutomatedSnapshotStartHour: "0"
AccessPolicies:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
AWS: "arn:aws:iam::123456789012:user/es-user"
Action: "es:*"
Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*"
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
Negative test num. 2 - json file
{
"Resources": {
"ElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/es-user"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*"
}
]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true"
},
"DomainName": "test",
"ElasticsearchClusterConfig": {
"DedicatedMasterCount": "3",
"DedicatedMasterEnabled": "true",
"InstanceCount": "2",
"ZoneAwarenessEnabled": "true",
"InstanceType": "m3.medium.elasticsearch",
"DedicatedMasterType": "m3.medium.elasticsearch"
},
"EncryptionAtRestOptions": {
"Enabled": true,
"KmsKeyId": "some-kms-key-id"
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": 0,
"VolumeSize": 20,
"VolumeType": "gp2"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": "0"
}
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster"
}