If Internet access is not enabled for the Elasticsearch cluster, the evaluation result is Compliant. If Internet access is enabled for the Elasticsearch cluster but 0.0.0.0/0 is not contained in any whitelist of the cluster, the evaluation result is Complaint.
Scenarios
If 0.0.0.0/0 is added to a whitelist of an Elasticsearch cluster, the cluster allows access from all IP addresses. This exposes the cluster to high security risks. We recommend that you do not use this configuration.
Risk level
Default risk level: high.
When you apply this rule, you can change the risk level based on your business requirements.
Compliance evaluation logic
- If Internet access is not enabled for the Elasticsearch cluster, the evaluation result is Compliant. If Internet access is enabled for the Elasticsearch cluster but 0.0.0.0/0 is not contained in any whitelist of the cluster, the evaluation result is Complaint.
- If Internet access is enabled for the Elasticsearch cluster and 0.0.0.0/0 is contained in a whitelist of the cluster, the evaluation result is Incomplaint. For more information about how to remediate an incompliant configuration, see the "Incompliance remediation" section of this topic.
Rule details
| Item | Description |
|---|---|
| Rule name | elasticsearch-public-and-any-ip-access-check |
| Rule identifier | elasticsearch-public-and-any-ip-access-check |
| Tag | Elasticsearch and Public |
| Automatic remediation | Not supported |
| Trigger type | Periodic execution |
| Evaluation frequency | Interval of 24 hours |
| Supported resource type | Elasticsearch cluster |
| Input parameter | None |
Incompliance remediation
Disable Internet access for the Elasticsearch cluster or delete 0.0.0.0/0 from the whitelists of the cluster. For more information, see Configure a private connection for an Elasticsearch cluster.