Elasticsearch instance has no public network access or does not allow access from anywhere

更新时间:
复制 MD 格式

An Elasticsearch instance is compliant if public access is disabled. If public access is enabled, the instance is also compliant as long as it does not allow access from all IP addresses.

Scenarios

If the whitelist CIDR block is set to 0.0.0.0/0, the Elasticsearch instance is accessible from the entire internet. This configuration poses a significant security risk and must be handled with caution.

Risk level

Default risk level: High.

You can change the risk level for this rule as needed.

Detection logic

  • An Elasticsearch instance is compliant if public access is disabled. An instance is also compliant if public access is enabled but does not allow access from all IP addresses.

  • An Elasticsearch instance is non-compliant if public access is enabled and allows access from all IP addresses. For more information about how to remediate this issue, see Remediation.

Rule details

Parameter

Description

Rule name

The Elasticsearch instance is not enabled for public network access or does not allow access from any IP address.

Rule identifier

elasticsearch-public-and-any-ip-access-check

Tags

Elasticsearch, Public

Automated remediation

Not supported

Rule trigger mechanism

Periodic

Trigger frequency

24 hours

Supported resource types

Elasticsearch instance

Rule input parameters

None

Remediation

Disable public access for the Elasticsearch instance or configure public access to not allow access from all IP addresses. For more information, see Configure PrivateLink for an instance.