Ensure that there is no Wildcard principal in ElasticSearch access policy

Amazon OpenSearch Service offers several ways to control access to your domains. They include Resource-based policies,Identity-based policies,IP-based policies. While writing policy statement make sure you DO NOT set WILDCARD like * in Principle property. That will provide all users access to your ES domain and the control over it.

Risk Level: High
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.CFT.IAM.41
Covered by Spectral: Yes
Category: Analytics

GSL LOGIC

AWS_Elasticsearch_Domain should not have AccessPolicies.Statement contain-any [ Effect='Allow' and ( Principal='*' or Principal.AWS='*' ) ]

REMEDIATION

From CFT
Make sure for property in AWS::Elasticsearch::Domain::AccessPolicies::Statement when Effect= Allow DO NOT set Principal::AWS to value '*'' in your template.
See below example;

Resources:
BADDOMAIN:
Type: AWS::Elasticsearch::Domain
Properties:
...
AccessPolicies:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: '*'
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-accesspolicies
  2. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CloudFormation ruleset