Cloud Search Service Security Best Practices
CSS offers a fully-managed, distributed search service built on open-source Elasticsearch and OpenSearch. It enables efficient search, analysis, and visualization of both structured and unstructured data, making it an ideal choice for log analytics, data-driven operations and maintenance, and intelligent search applications. This section provides actionable best practices for enhancing CSS security. Based on them, you can continuously evaluate the security posture of your CSS resources, and enhance their security by combining multiple security features provided by CSS. This way, you protect your data stored in CSS against leakage and tampering—both at rest and in transit.
To secure your data and workloads on CSS, we recommend that you follow the best practices below:
- Configuring Security Settings: Lower the risk of cyber attacks on clusters.
- Improving Account and Password Security: Lower the risk of data breaches.
- Enhancing Permission Management: Lower security risks.
- Enabling Security Audit Logs: Enable post-event review and backtracking.
- Enabling Data Backup: Improve data reliability.
- Encrypting Data at Rest: Enhance data security.
- Upgrading Your Clusters to the Latest Version: Get better user experience and enhanced security.
Configuring Security Settings
- Creating security-mode clusters
CSS provides a security mode for Elasticsearch and OpenSearch clusters. A security-mode enabled cluster requires user authentication using a username and password, while a non-security mode cluster does not require that. You should not create clusters with the security mode disabled unless you are in a tightly controlled environment or your data is of minor importance. For details about how to change a cluster's security mode, see Changing the Security Mode of an Elasticsearch Cluster or Changing the Security Mode of an OpenSearch Cluster.
- Enabling HTTPS access
Without the use of Secure Sockets Layer (SSL), data transmitted between a CSS client and server is in plaintext, making it vulnerable to eavesdropping, tampering, and man-in-the-middle attacks. To improve data security in transit, you are advised to create a cluster by enabling the security mode as well as HTTPS, which uses the SSL protocol to encrypt data. Enabling HTTPS introduces encryption and decryption overhead, which may reduce cluster performance by approximately 20%. Before enabling HTTPS access, carefully weigh its security benefits against potential performance losses. For details about how to switch between HTTPS and HTTP for a cluster, see Changing the Security Mode of an Elasticsearch Cluster or Changing the Security Mode of an OpenSearch Cluster.
- Avoiding exposing a cluster to the Internet via an EIP
Avoid deploying CSS clusters on the public network or in a DMZ. Instead, deploy them on your company's internal network, where they are protected by routers or firewalls. To prevent unauthorized access and reduce the likelihood of DDoS attacks, avoid exposing them to the Internet by binding an EIP directly to them. When possible, disable public network access to your clusters. If public network access is unavoidable, use a dedicated load balancer for your clusters and apply strict security group rules to the load balancer. For details, see Configuring a Dedicated Load Balancer for an Elasticsearch Cluster or Configuring a Dedicated Load Balancer for an OpenSearch Cluster.
Improving Account and Password Security
- Resetting the administrator password periodically
Security-mode enabled Elasticsearch and OpenSearch clusters have a default administrator account admin, which has full permissions on the clusters. You are advised to reset its password periodically. Doing so improves account security as well as the security of sensitive data stored in the clusters. For details, see How Do I Reset the Administrator Password of a Security-mode Cluster in CSS?
- Using more complex passwords
As distributed search and analytics engines, CSS's Elasticsearch and OpenSearch clusters are desirable targets for cyber attacks. You must keep your accounts and passwords secure. Additionally, you should use more complex passwords, instead of weak ones. CSS checks the complexity of administrator passwords set by users. The password must contain at least 12 characters, and must be a combination of uppercase letters, lowercase letters, digits, and special characters (such as !@#$%). This should make your password strong enough.
Enhancing Permission Management
- Configuring IAM users for fine-grained permission management
CSS allows you to use IAM to implement fine-grained user permission management and better resource isolation by department or project. For more information, see Creating IAM Users and Granting Them Permissions to Use CSS.
- Avoiding using the administrator account to access clusters
Security-mode enabled Elasticsearch and OpenSearch clusters have a default administrator account admin, which has full permissions on the clusters. To access data stored in clusters, you are advised to a non-administrator account. Additionally, you can configure index access permissions for common users through Kibana or OpenSearch Dashboards. You can configure user permissions based on users, permissions, and roles to suit your needs. For more information, see Creating Users for an Elasticsearch Cluster and Granting Cluster Access or Creating Users for an OpenSearch Cluster and Granting Cluster Access.
Enabling Security Audit Logs
Security audit logs record all user operations on data and indexes. They can be used to analyze user behavior, generate compliance reports, and trace the root cause of an incident. For more information, see How Do I Enable Audit Logs for an Elasticsearch or OpenSearch Cluster of CSS?
Enabling Data Backup
CSS's Elasticsearch and OpenSearch clusters support both automatic and manual data backup. Depending on data importance, you are advised to perform backup every day or every week and retain multiple backups. In the event of a cluster failure or data corruption, you can use one of the backups to restore data. For more information, see Creating a Snapshot to Back Up the Data of an Elasticsearch Cluster or Creating a Snapshot to Back Up the Data of an OpenSearch Cluster.
Encrypting Data at Rest
When creating a CSS cluster, you are advised to enable disk encryption, which uses the Key Management Service (KMS) to encrypt data before storing it on disks. This reduces the risk of data leakage in the event of stolen physical disks or unauthorized access. To enable disk encryption, submit a service ticket.
Upgrading Your Clusters to the Latest Version
Based on newly discovered vulnerabilities disclosed in the open-source community, CSS may release new kernel versions for Elasticsearch and OpenSearch to incorporate the needed fixes to these vulnerabilities. To improve the ease-of-use and security of your CSS clusters, you are advised to check for new cluster software versions quarterly, install security patches in a timely manner, and always upgrade your clusters to the latest images. For details, see Upgrading the Version of an Elasticsearch Cluster or Upgrading the Version of an OpenSearch Cluster.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
