Skip to content

Enable Elasticsearch security

Severity: criticalApplies to: Elasticsearch 8.x / 9.x (on by default)Applies to: Elasticsearch 7.x (off by default)
The fix/etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
Terminal window
sudo systemctl restart elasticsearch

On 8.x and 9.x this is already true — the finding is when it’s been set to false. On 7.x it defaults to absent, which means off.

With security disabled, Elasticsearch has no concept of a user. Every request to port 9200 is honoured in full: read every index, delete every index, read the cluster’s configuration, and — historically — run code. There is no password to guess because there is no password.

This is the setting that made Elasticsearch the most breached database on the internet for years. A cluster with xpack.security.enabled: false reachable from an untrusted network is not at risk of compromise; it is compromised the moment someone connects.

On 8.x and 9.x, someone turned it off. Auto-configuration enables security on first start, so a modern cluster running insecure got that way deliberately. The reason is almost always the same: a client failed to connect — usually because it wasn’t sending credentials or wasn’t trusting the auto-generated certificate — and xpack.security.enabled: false made the error stop.

That “fix” trades an authentication error for an open database. The real fix is to make the client authenticate and trust the certificate, which is built-in users and TLS — not turning the wall off.

On 7.x, it was never on. Elasticsearch 7.x ships with security disabled by default. If nobody added xpack.security.enabled: true, the cluster is open, and has been since it was installed. 7.x is also end of life, so the durable fix is to enable security and plan the upgrade — an unsupported version accumulates unpatched holes regardless of this setting.

If the reason security is off is a belief that it costs money: it doesn’t, and hasn’t since 2019. Authentication, RBAC and TLS are in the free Basic tier from 6.8 / 7.1 onward. The only thing on this whole checklist that needs a paid subscription is audit logging.

Enabling it requires no license key and no registration.