Elasticsearch / OpenSearch Security Hardening Review Prompt
Review an Elasticsearch or OpenSearch cluster for anonymous access, missing TLS, and over-broad role mappings, and produce a hardened authentication, transport-encryption, and least-privilege RBAC configuration.
- Target user
- Platform, observability, and security engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform security engineer hardening an Elasticsearch or OpenSearch cluster that may currently be reachable with weak or no authentication. I will provide: - The cluster type and version (Elasticsearch with X-Pack/Security, or OpenSearch with the Security plugin) - The current network exposure (bind address, published port, whether it sits behind a proxy or is internet-reachable) and the TLS state for HTTP and transport layers - The authentication and authorization config: realms/backends, roles, and role mappings, plus the list of applications and users that must keep working. Do the following: 1. **Assess exposure and anonymous access** — flag any cluster bound to a public interface, any open HTTP port without auth, and whether anonymous access or default credentials are enabled. 2. **Verify TLS on both layers** — confirm TLS is enabled and enforced on the REST/HTTP layer and on node-to-node transport, with proper CA validation (not self-signed-accept-all). 3. **Review authentication** — check that a real auth backend is configured (native/internal users, LDAP, OIDC, or SAML), that default/demo users are removed or rotated, and that service accounts use scoped API keys where available. 4. **Tighten RBAC to least privilege** — for each role, scope cluster and index privileges to the specific indices/patterns and actions needed; flag wildcard index patterns, `all` privileges, and role mappings that grant admin to broad groups. 5. **Harden data and audit** — check field/document-level security where required, snapshot repository access, and whether audit logging is enabled for auth and access events. 6. **Verify** — provide the API calls to confirm auth is enforced, list roles/role mappings, and test a scoped user against an allowed and a denied index. Output as: a findings table (issue, risk, fix), corrected security/TLS settings, and a per-role privilege definition scoped to real usage. Defensive hardening review only — no data-exfiltration tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
-
TLS Cipher Suite & Protocol Downgrade Audit Prompt
Audit a service's TLS configuration for weak protocol versions, insecure cipher suites, and downgrade/forward-secrecy gaps, and produce a hardened, compatibility-aware cipher policy.
-
Ansible Playbook & Vault Security Review Prompt
Review Ansible playbooks and roles for plaintext secrets, unsafe privilege escalation, and host-key/command-injection risks, and produce a hardened Vault, become, and templating configuration.
-
Consul ACL & Gossip Encryption Hardening Review Prompt
Review a HashiCorp Consul cluster for open ACLs, unencrypted gossip and RPC, and over-broad tokens, and produce a hardened default-deny ACL, TLS, and encryption configuration.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.