Elasticsearch is an open source search engine built on top of Lucene that is commonly used for internal site searches and analytics. Recently, several high-profile ransomware attacks against unsecured Elasticsearch servers have reminded us that there may be a few things to do to help secure your deployment. In this post, we’ll be covering best practices to help secure your Elasticsearch instances on Google Cloud Platform (GCP).
There are a number of ways to attack an Elasticsearch instance. Poisoning the index, exploiting unauthorized API access and exfiltrating sensitive data are just a few. Read on for some suggestions to combat them.
1. Lock down your access policyTo help prevent abuse, Elasticsearch uses a trusting security model that relies on external access management. Thus, an important first step with a new Elasticsearch instance is to lock down the access policy. Best practices on GCP include using IAM policies for internal access and firewalls for external connections. Add-ons such as X-Pack help add another layer of security.
2. Don’t index sensitive dataOnce you’ve updated your access policy for your Elasticsearch instance, think carefully about what content you intend to index. Your initial import into Elasticsearch is likely to be a bulk migration of data. A best practice is to carefully filter out personally identifiable information (PII), cardholder data or other sensitive information to prevent it from leaking. Even if you only provide abstract document IDs from your search engine, hackers can still deduce particularly sensitive bits of information. For example, a bad actor could use wildcard searches to deduce credit card numbers, SSNs or other information one character at a time.
Index poisoning occurs when unfiltered malicious content is ingested by Elasticsearch. If you index user-generated content (UGC), be sure to properly filter it before storing it. Any content returned from the search engine (or any other data storage, for that matter) should be properly escaped for the medium it will be presented through. That means HTML escaping any search result snippets presented in web pages and properly SQL escaping any result data you might use in a database query. See the OWASP pages on data validation and XSS prevention for more information.
3. Handle unfiltered content safely
In short, improving the security of Elasticsearch is a lot like locking down any other cloud and/or open-source service. Apply best practices, think like a hacker and remember that chaining together several non-critical vulnerabilities often results in the most devastating attacks.