This topic compares Alibaba Cloud Elasticsearch clusters with user-created Elasticsearch clusters to describe the security protection advantages of Alibaba Cloud Elasticsearch.

Background information

Open-source software is often the first target of attacks. The MongoDB ransomware attacks are an example. Elasticsearch has also become the target of attacks. Attackers may attack user-created Elasticsearch clusters that do not have professional security protection, and then delete important data or interfere with the business system.Elasticsearch security background

Alibaba Cloud Security Center released a warning about the security risks of Elasticsearch and provided multiple security hardening strategies and solutions. Alibaba Cloud Elasticsearch provides more reliable and professional solutions for data and service security than user-created Elasticsearch.

Security feature descriptions

Alibaba Cloud released the fully hosted Elasticsearch service in November, 2017. Alibaba Cloud Elasticsearch provides security protection features for you to safeguard your clusters.Elasticsearch security features

The following table compares the security protection of Alibaba Cloud Elasticsearch with that of user-created Elasticsearch.

Security metric Security protection of user-created Elasticsearch Integrated security features of Alibaba Cloud Elasticsearch
Access control
  • Purchase cloud security products, such as security groups or firewalls, to manage and quarantine source IP addresses.
  • Disable port 9200 unless it is necessary.
  • Bind source IP addresses.
  • Change the default port.
  • Alibaba Cloud Elasticsearch clusters that are deployed in VPCs. This way, they can be isolated at the data link layer.
  • IPv4 and IPv6 whitelists for access control. Both IP addresses and Classless Inter-Domain Routing (CIDR) blocks are supported.
  • Kibana whitelists for access control. Both IP addresses and CIDR blocks are supported.
Authentication and authorization Install third-party security plug-ins, such as Search Guard and Shield.
  • Cluster-level permission policies in Resource Access Management (RAM), such as the ReadOnlyAccess policy that grants the read-only permissions and the FullAccess policy that grants the administrator permissions.
  • Access control based on RAM, such as the permissions on clusters, accounts, and GET, POST, and PUT commands.
  • Role-based access control (RBAC) based on X-Pack. Access control policies can be specific to data fields.
  • Single sign-on (SSO) based on X-Pack. Active Directory, LDAP, and Elasticsearch-native Realm are supported for identity verification.
Data encryption
  • Use storage media that support encryption at rest.
  • Disable HTTP in YML configuration files.
  • HTTPS is supported.
  • Encryption at rest is provided based on Key Management Service (KMS).
  • X-Pack is integrated to support data transmission encryption by using SSL or TLS.
Monitoring and auditing Use third-party tools to audit logs and monitor services.
  • Operation log auditing based on X-Pack.
  • CloudMonitor-based cluster monitoring with multiple metrics, such as cluster workload.
Disaster recovery
  • Purchase file systems to back up data periodically.
  • Use multiple clusters to implement disaster recovery.
  • A cluster can be deployed across multiple zones in one city to implement disaster recovery.
  • Snapshots are automatically created at a scheduled time.