Secure your Elasticsearch Cluster

TL;DR - Basic Authentication, RBAC in Elasticsearch is free. You should enable it and protect your cluster from attacks, data breaches.

The cost of a data breach is huge to any organization. Be it a Bank, eCommerce Company, or an early-stage startup.

It is a loss to your customers. There is an intangible loss of reputation. And then, the regulatory problems from the authorities.

Imagine you open your email one morning, that the data from your Elasticsearch cluster is deleted and you have to pay some money to the attacker to get the data. Sounds troublesome, isn't it?

What security features are available as free?

More than a year ago, Elastic made their core security features of the Elastic Stack are free. It means you can enable and leverage TLS encryption between nodes, role-based access control, basic authentication.

You can leverage these features to protect the data sent via Logstash and data shippers like Filebeat.

Sidenote: You can use the secure keystore's in Filebeat and Logstash to store sensitive settings.

How to check if my ES cluster is unprotected?

Option 1:

Usually, the ES cluster is bootstrapped to start on the port number 9200. You can check whether if you could access, the cluster endpoint remotely using an API client like postman or hopscotch or as simple as chrome browser in incognito mode.

<endpoint_url>:9200

You should be getting the below message.

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "action [cluster:monitor/main] requires authentication",
                "header": {
                    "WWW-Authenticate": [
                        "Basic realm=\"security\" charset=\"UTF-8\"",
                        "Bearer realm=\"security\"",
                        "ApiKey"
                    ]
                }
            }
        ],
        "type": "security_exception",
        "reason": "action [cluster:monitor/main] requires authentication",
        "header": {
            "WWW-Authenticate": [
                "Basic realm=\"security\" charset=\"UTF-8\"",
                "Bearer realm=\"security\"",
                "ApiKey"
            ]
        }
    },
    "status": 401
}

Option 2:

Starting Kibana 7.10, you will also see a popup in Kibana if your cluster isn't secure.

What more?

With Users and Roles, you can multiple users and assign them specific roles to limit their access to the cluster data.

You can create a Kibana space to limit access to users for a specific dashboard.

Thanks for reading it this far. If you have more questions on Elasticsearch security, please join the community slack group or ask a question on our technical forum or you could try spinning up a cluster using this link.

Happy to help!

--
Stay Safe
Aravind Putrevu