Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPTCursor

Elasticsearch / OpenSearch Security Hardening Review Prompt

Review an Elasticsearch or OpenSearch cluster for anonymous access, missing TLS, and over-broad role mappings, and produce a hardened authentication, transport-encryption, and least-privilege RBAC configuration.

Target user
Platform, observability, and security engineers
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform security engineer hardening an Elasticsearch or OpenSearch cluster that may currently be reachable with weak or no authentication.

I will provide:
- The cluster type and version (Elasticsearch with X-Pack/Security, or OpenSearch with the Security plugin)
- The current network exposure (bind address, published port, whether it sits behind a proxy or is internet-reachable) and the TLS state for HTTP and transport layers
- The authentication and authorization config: realms/backends, roles, and role mappings, plus the list of applications and users that must keep working.

Do the following:

1. **Assess exposure and anonymous access** — flag any cluster bound to a public interface, any open HTTP port without auth, and whether anonymous access or default credentials are enabled.
2. **Verify TLS on both layers** — confirm TLS is enabled and enforced on the REST/HTTP layer and on node-to-node transport, with proper CA validation (not self-signed-accept-all).
3. **Review authentication** — check that a real auth backend is configured (native/internal users, LDAP, OIDC, or SAML), that default/demo users are removed or rotated, and that service accounts use scoped API keys where available.
4. **Tighten RBAC to least privilege** — for each role, scope cluster and index privileges to the specific indices/patterns and actions needed; flag wildcard index patterns, `all` privileges, and role mappings that grant admin to broad groups.
5. **Harden data and audit** — check field/document-level security where required, snapshot repository access, and whether audit logging is enabled for auth and access events.
6. **Verify** — provide the API calls to confirm auth is enforced, list roles/role mappings, and test a scoped user against an allowed and a denied index.

Output as: a findings table (issue, risk, fix), corrected security/TLS settings, and a per-role privilege definition scoped to real usage. Defensive hardening review only — no data-exfiltration tooling.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More DevOps Security & Hardening prompts & error guides

Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.