Alibaba Cloud Elasticsearch clusters are deployed in logically isolated virtual private clouds (VPCs). In addition, access control, authentication and authorization, encryption, and the advanced security features provided by X-Pack are used for the clusters. All the preceding features ensure the high security of Alibaba Cloud Elasticsearch clusters. This topic describes the features.
Background information
Open source software is often the first target of attacks. MongoDB ransomware attacks are an example. Elasticsearch has also become the target of attacks. Attackers may attack self-managed Elasticsearch clusters that do not have professional security protection, delete important data, or interfere with business systems.
Alibaba Cloud Security Center released a warning about the security risks associated with Elasticsearch and provided an array of security hardening strategies and solutions. Alibaba Cloud Elasticsearch provides solutions that are more reliable and professional for data and service security than those provided by open source Elasticsearch.
Security features
The following table compares the security protection of an Alibaba Cloud Elasticsearch cluster with that of a self-managed Elasticsearch cluster.
Category | Built-in security feature of an Alibaba Cloud Elasticsearch cluster | Security protection of a self-managed Elasticsearch cluster |
Access control |
|
|
Authentication and authorization |
| Install third-party security plug-ins, such as Search Guard and Shield. |
Encryption |
|
|
Monitoring and auditing |
| Use third-party tools to audit logs and monitor services. |
Disaster recovery |
|
|
Access control
Alibaba Cloud Elasticsearch uses the following methods to control access:
- Access over VPCsYou can use the internal endpoint of an Alibaba Cloud Elasticsearch cluster to access the cluster over a VPC. If you require a secure environment where your applications can access your Alibaba Cloud Elasticsearch cluster, you can purchase an Alibaba Cloud Elastic Compute Service (ECS) instance in the same zone, region, and VPC as the Elasticsearch cluster. Then, deploy the applications on the ECS instance and use the ECS instance to access the internal endpoint of the Elasticsearch cluster.Note A VPC is a private network in the cloud and is isolated from the Internet. It provides secure access for your applications.
- Whitelist-based access control
If you want to use the internal endpoint of an Alibaba Cloud Elasticsearch cluster to access the cluster, configure a whitelist for the cluster to control access. Only clients whose IP addresses are in the whitelist can be used to access the cluster. For more information, see Configure a public or private IP address whitelist for an Elasticsearch cluster.
If you want to use the public endpoint of an Alibaba Cloud Elasticsearch cluster to access the cluster, configure a whitelist for the cluster to control access. Only clients whose IP addresses are in the whitelist can be used to access the cluster. For more information, see Configure a public or private IP address whitelist for an Elasticsearch cluster.
Authentication and authorization
- RAM-based access control
The Alibaba Cloud Elasticsearch console supports RAM users. You can use RAM users to isolate resources. A RAM user can view and manage only Alibaba Cloud Elasticsearch clusters on which the user has permissions. For more information, see Policy evaluation process.
- RBAC provided by X-Pack
Alibaba Cloud Elasticsearch provides the X-Pack plug-in, which is a commercial extension of Elasticsearch. The plug-in is an easy-to-install bundle that provides security, alerting, monitoring, graphing, and reporting capabilities. The plug-in is integrated into Kibana to provide more capabilities, such as authentication and authorization, RBAC, real-time monitoring, visual reporting, and machine learning. RBAC can be specific to indexes. For more information, see Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control and Security APIs in the open source Elasticsearch documentation.