Elasticsearch Domain With Vulnerable Policy
- Query id: 16c4216a-50d3-4785-bfb2-4adb5144a8ba
- Query name: Elasticsearch Domain With Vulnerable Policy
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_elasticsearch_domain" "es-not-secure-policy" {
domain_name = "es-not-secure-policy"
ebs_options {
ebs_enabled = true
volume_size = 10
volume_type = "gp2"
}
}
resource "aws_elasticsearch_domain_policy" "main" {
domain_name = aws_elasticsearch_domain.es-not-secure-policy.domain_name
access_policies = <<POLICIES
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow"
}
]
}
POLICIES
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_elasticsearch_domain" "example2" {
domain_name = "tf-test"
elasticsearch_version = "2.3"
}
resource "aws_elasticsearch_domain_policy" "main2" {
domain_name = aws_elasticsearch_domain.example2.domain_name
access_policies = <<POLICIES
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/test-user"
]
},
"Action": [
"es:ESHttpGet"
],
"Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/test-index/_search"
}
]
}
POLICIES
}