You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the CDK code creates the EC2 instance for elastic search, it provides a policy that allows the EC2 instance to gain access to the username and password stored inside of secret manager. This username and password is used to configure a plugin on the elastic search instance so that basic auth can be used to authenticate to the service.
The problem is that this policy does not restrict access to only the username and password secret, instead it gives access to all secrets within the secrets manager by specifying wildcards in the resources field. This would allow an attacker to gain access to all secrets if they happened to compromise any host that uses this policy.
Possible fixes
Scope the secret resources only to the secrets needed for the OpenSearch search functionality instead of using wildcards.
The text was updated successfully, but these errors were encountered:
When the CDK code creates the EC2 instance for elastic search, it provides a policy that allows the EC2 instance to gain access to the username and password stored inside of secret manager. This username and password is used to configure a plugin on the elastic search instance so that basic auth can be used to authenticate to the service.
The problem is that this policy does not restrict access to only the username and password secret, instead it gives access to all secrets within the secrets manager by specifying wildcards in the resources field. This would allow an attacker to gain access to all secrets if they happened to compromise any host that uses this policy.
Possible fixes
Scope the secret resources only to the secrets needed for the OpenSearch search functionality instead of using wildcards.
The text was updated successfully, but these errors were encountered: