We are running an application using elasticsearch hosted on AWS. The client-side interface uses "ReactiveSearch" for vuejs, which makes POST requests against the "_msearch" interface described here: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-multi-search.html
Reading the documentation I can't see anything that could make this approach unsafe e.g. removing data, but I wanted to make sure. The AWS documentation "recommends" to only leave "GET" open: https://docs.aws.amazon.com/en_pv/elasticsearch-service/latest/developerguide/es-ac.html
So is it safe to expose this endpoint to the public?
Here is the AWS-Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:us-east-2:943306001616:domain/wimj/product/_msearch",
"Condition": {
"IpAddress": {
"aws:SourceIp": "0.0.0.0/0"
}
}
}
]
}
