As if the MongoDB sacking fiasco wasn’t enough, bored attackers have added ransacking of open AWS Elasticsearch clusters to their list. Late last week (and who knows how long before that), they began attacking Elasticsearch domains with open access policies. Access and permissions to AWS Elasticsearch domains is controlled via resource-based policies.
AWS recommends that you don’t use an open access policy on your Elasticsearch domain, except for when testing with non-production data. We would go as far as to say that testing with an open access policy shouldn’t ever be practiced period. Our experience shows that development and pre-production environments are ripe for exploitation due to the lower security hygiene and less/lack of monitoring placed on them. What’s even worse is we sometimes think it’s easy to test in pre-production with real customer data (please DO NOT do that! or if you must, always make sure you anonymize).
Evident.io takes these types of exploits in the wild very seriously. In order for our customers to identify, remediate and monitor for Elasticsearch domains with open access policies, we have released an Evident Security Platform (ESP) custom signature in our open-source repo: https://github.com/EvidentSecurity/custom_signatures/blob/master/elastic_search_open_access_policy.rb
We recommend that everyone that uses AWS Elasticsearch install and activate this ESP custom signature immediately. Instructions for creating a custom signature are here: http://docs.evident.io/#custom-signatures.
If you have any questions installing this custom signature, please email email@example.com.
—The Evident.io Team
PS – Not yet an Evident.io customer? You can try ESP free for 14 days and start securing your cloud infrastructure within minutes. Get started now to see if you have any high priority risks in your AWS environment.