elasticsearch

package
v0.47.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 28, 2022 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CheckEnableDomainEncryption = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0048",
		Provider:    providers.AWSProvider,
		Service:     "elastic-search",
		ShortCode:   "enable-domain-encryption",
		Summary:     "Elasticsearch domain isn't encrypted at rest.",
		Impact:      "Data will be readable if compromised",
		Resolution:  "Enable ElasticSearch domain encryption",
		Explanation: `You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.`,
		Links: []string{
			"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableDomainEncryptionGoodExamples,
			BadExamples:         terraformEnableDomainEncryptionBadExamples,
			Links:               terraformEnableDomainEncryptionLinks,
			RemediationMarkdown: terraformEnableDomainEncryptionRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableDomainEncryptionGoodExamples,
			BadExamples:         cloudFormationEnableDomainEncryptionBadExamples,
			Links:               cloudFormationEnableDomainEncryptionLinks,
			RemediationMarkdown: cloudFormationEnableDomainEncryptionRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, domain := range s.AWS.Elasticsearch.Domains {
			if domain.AtRestEncryption.Enabled.IsFalse() {
				results.Add(
					"Domain does not have at-rest encryption enabled.",
					domain.AtRestEncryption.Enabled,
				)
			} else {
				results.AddPassed(&domain)
			}
		}
		return
	},
)
View Source
var CheckEnableDomainLogging = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0042",
		Provider:   providers.AWSProvider,
		Service:    "elastic-search",
		ShortCode:  "enable-domain-logging",
		Summary:    "Domain logging should be enabled for Elastic Search domains",
		Impact:     "Logging provides vital information about access and usage",
		Resolution: "Enable logging for ElasticSearch domains",
		Explanation: `Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs, search slow logs, index slow logs, and audit logs. 

Search slow logs, index slow logs, and error logs are useful for troubleshooting performance and stability issues. 

Audit logs track user activity for compliance purposes. 

All the logs are disabled by default.`,
		Links: []string{
			"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableDomainLoggingGoodExamples,
			BadExamples:         terraformEnableDomainLoggingBadExamples,
			Links:               terraformEnableDomainLoggingLinks,
			RemediationMarkdown: terraformEnableDomainLoggingRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableDomainLoggingGoodExamples,
			BadExamples:         cloudFormationEnableDomainLoggingBadExamples,
			Links:               cloudFormationEnableDomainLoggingLinks,
			RemediationMarkdown: cloudFormationEnableDomainLoggingRemediationMarkdown,
		},
		Severity: severity.Medium,
	},
	func(s *state.State) (results scan.Results) {
		for _, domain := range s.AWS.Elasticsearch.Domains {
			if domain.LogPublishing.AuditEnabled.IsFalse() {
				results.Add(
					"Domain audit logging is not enabled.",
					domain.LogPublishing.AuditEnabled,
				)
			} else {
				results.AddPassed(&domain)
			}
		}
		return
	},
)
View Source
var CheckEnableInTransitEncryption = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0043",
		Provider:    providers.AWSProvider,
		Service:     "elastic-search",
		ShortCode:   "enable-in-transit-encryption",
		Summary:     "Elasticsearch domain uses plaintext traffic for node to node communication.",
		Impact:      "In transit data between nodes could be read if intercepted",
		Resolution:  "Enable encrypted node to node communication",
		Explanation: `Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private.`,
		Links: []string{
			"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnableInTransitEncryptionGoodExamples,
			BadExamples:         terraformEnableInTransitEncryptionBadExamples,
			Links:               terraformEnableInTransitEncryptionLinks,
			RemediationMarkdown: terraformEnableInTransitEncryptionRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnableInTransitEncryptionGoodExamples,
			BadExamples:         cloudFormationEnableInTransitEncryptionBadExamples,
			Links:               cloudFormationEnableInTransitEncryptionLinks,
			RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, domain := range s.AWS.Elasticsearch.Domains {
			if domain.TransitEncryption.Enabled.IsFalse() {
				results.Add(
					"Domain does not have in-transit encryption enabled.",
					domain.TransitEncryption.Enabled,
				)
			} else {
				results.AddPassed(&domain)
			}
		}
		return
	},
)
View Source
var CheckEnforceHttps = rules.Register(
	scan.Rule{
		AVDID:      "AVD-AWS-0046",
		Provider:   providers.AWSProvider,
		Service:    "elastic-search",
		ShortCode:  "enforce-https",
		Summary:    "Elasticsearch doesn't enforce HTTPS traffic.",
		Impact:     "HTTP traffic can be intercepted and the contents read",
		Resolution: "Enforce the use of HTTPS for ElasticSearch",
		Explanation: `Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.`,
		Links: []string{
			"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-data-protection.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformEnforceHttpsGoodExamples,
			BadExamples:         terraformEnforceHttpsBadExamples,
			Links:               terraformEnforceHttpsLinks,
			RemediationMarkdown: terraformEnforceHttpsRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationEnforceHttpsGoodExamples,
			BadExamples:         cloudFormationEnforceHttpsBadExamples,
			Links:               cloudFormationEnforceHttpsLinks,
			RemediationMarkdown: cloudFormationEnforceHttpsRemediationMarkdown,
		},
		Severity: severity.Critical,
	},
	func(s *state.State) (results scan.Results) {
		for _, domain := range s.AWS.Elasticsearch.Domains {
			if domain.Endpoint.EnforceHTTPS.IsFalse() {
				results.Add(
					"Domain does not enforce HTTPS.",
					domain.Endpoint.EnforceHTTPS,
				)
			} else {
				results.AddPassed(&domain)
			}
		}
		return
	},
)
View Source
var CheckUseSecureTlsPolicy = rules.Register(
	scan.Rule{
		AVDID:       "AVD-AWS-0126",
		Provider:    providers.AWSProvider,
		Service:     "elastic-search",
		ShortCode:   "use-secure-tls-policy",
		Summary:     "Elasticsearch domain endpoint is using outdated TLS policy.",
		Impact:      "Outdated SSL policies increase exposure to known vulnerabilities",
		Resolution:  "Use the most modern TLS/SSL policies available",
		Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.`,
		Links: []string{
			"https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-data-protection.html",
		},
		Terraform: &scan.EngineMetadata{
			GoodExamples:        terraformUseSecureTlsPolicyGoodExamples,
			BadExamples:         terraformUseSecureTlsPolicyBadExamples,
			Links:               terraformUseSecureTlsPolicyLinks,
			RemediationMarkdown: terraformUseSecureTlsPolicyRemediationMarkdown,
		},
		CloudFormation: &scan.EngineMetadata{
			GoodExamples:        cloudFormationUseSecureTlsPolicyGoodExamples,
			BadExamples:         cloudFormationUseSecureTlsPolicyBadExamples,
			Links:               cloudFormationUseSecureTlsPolicyLinks,
			RemediationMarkdown: cloudFormationUseSecureTlsPolicyRemediationMarkdown,
		},
		Severity: severity.High,
	},
	func(s *state.State) (results scan.Results) {
		for _, domain := range s.AWS.Elasticsearch.Domains {
			if domain.Endpoint.TLSPolicy.NotEqualTo("Policy-Min-TLS-1-2-2019-07") {
				results.Add(
					"Domain does not have a secure TLS policy.",
					domain.Endpoint.TLSPolicy,
				)
			} else {
				results.AddPassed(&domain)
			}
		}
		return
	},
)

Functions

This section is empty.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL