Elasticsearch Without IAM Authentication
- Query id: e7530c3c-b7cf-4149-8db9-d037a0b5268e
- Query name: Elasticsearch Without IAM Authentication
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 285
- URL: Github
Description¶
AWS Elasticsearch should ensure IAM Authentication
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_elasticsearch_domain" "example" {
domain_name = "tf-test"
elasticsearch_version = "2.3"
}
resource "aws_elasticsearch_domain_policy" "main" {
domain_name = aws_elasticsearch_domain.example.domain_name
access_policies = <<POLICIES
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal": "*",
"Effect": "Allow",
"Condition": {
"IpAddress": {"aws:SourceIp": "127.0.0.1/32"}
},
"Resource": "${aws_elasticsearch_domain.example.arn}/*"
}
]
}
POLICIES
}
Positive test num. 2 - tf file
resource "aws_elasticsearch_domain" "example2" {
domain_name = "tf-test"
elasticsearch_version = "2.3"
}
resource "aws_elasticsearch_domain_policy" "main2" {
domain_name = aws_elasticsearch_domain.example2.domain_name
access_policies = <<POLICIES
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Effect": "Allow",
"Condition": {
"IpAddress": {"aws:SourceIp": "127.0.0.1/32"}
},
"Resource": "${aws_elasticsearch_domain.example2.arn}/*"
}
]
}
POLICIES
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_elasticsearch_domain" "negativee" {
domain_name = "tf-test"
elasticsearch_version = "2.3"
}
resource "aws_elasticsearch_domain_policy" "main8" {
domain_name = aws_elasticsearch_domain.negativee.domain_name
access_policies = <<POLICIES
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Principal" : {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:iam::555555555555:root"
]
},
"Effect": "Allow",
"Condition": {
"IpAddress": {"aws:SourceIp": "127.0.0.1/32"}
},
"Resource": "${aws_elasticsearch_domain.negativee.arn}/*"
}
]
}
POLICIES
}