[zurn]

Interesting that ES is still such a widely used component, this is a huge red flag about a software product. And of course there are lots of other regular complaints about it (eg uses a lot of memory and wants a 3-node cluster so costs 4 figures/mo to run on AWS).

[Chyzwar]

Because ES cluster should not be on public network. If anything this is red flag for AWS. ES v8 there many improvments to security.

It cost that much because AWS is incredibly expensive.

[zurn]

Network segregation is your last line of defense. Having anything rely on it is a recipe for a bad security that's always just one step away from someone getting around it due to misconfiguration, request forgery, networks configuration changes over time, malware transiting over via VPNs etc. And of course from the SW vendor POV they don't know if the customer env employs this defense in depth layer, so it's really irresponsible to rely on it. Like is amply demonstrated here...

If a product upon unboxing promptly flops on its back with "come here internet" access controls, even if by good fortune it's saved by your network ACLs, it's time to put it back in the box and return it.

[rr808]

One problem is there is very little reliable best practice on network security. Do you have any good resources?

[phillu]

I guess there are more things to consider when choosing a software product then poor security defaults and that it feels expensive.