An Elasticsearch instance is compliant if public access is disabled. If public access is enabled, the instance is also compliant as long as it does not allow access from all IP addresses.
Scenarios
If the whitelist CIDR block is set to 0.0.0.0/0, the Elasticsearch instance is accessible from the entire internet. This configuration poses a significant security risk and must be handled with caution.
Risk level
Default risk level: High.
You can change the risk level for this rule as needed.
Detection logic
An Elasticsearch instance is compliant if public access is disabled. An instance is also compliant if public access is enabled but does not allow access from all IP addresses.
An Elasticsearch instance is non-compliant if public access is enabled and allows access from all IP addresses. For more information about how to remediate this issue, see Remediation.
Rule details
Parameter | Description |
Rule name | The Elasticsearch instance is not enabled for public network access or does not allow access from any IP address. |
Rule identifier | elasticsearch-public-and-any-ip-access-check |
Tags | Elasticsearch, Public |
Automated remediation | Not supported |
Rule trigger mechanism | Periodic |
Trigger frequency | 24 hours |
Supported resource types | Elasticsearch instance |
Rule input parameters | None |
Remediation
Disable public access for the Elasticsearch instance or configure public access to not allow access from all IP addresses. For more information, see Configure PrivateLink for an instance.