Is APM Server (port 8200) secure by default? How to make it secure?

Hello,

it would be very kind, if an expert could help me. I try to setup (for a non profit project) the elastic stack:

Is a default APM Server Installation (from the official Docker Image), as described here: https://www.elastic.co/guide/en/apm/server/current/running-on-docker.html secure by default, when the port 8200 is publicly exposed? I have it running with TLS, but are very afraid I missed something.

With secure I mean, no one can retrieve any data. As it is described in the documentation port 8200 needs to be publicly accessible from my React App (RUM Agent) and as React Apps can not contain any secrets there is no way to really protect the port 8200 access. I am aware of the attack vector someone sending arbitrary data. But I was not able to find any information if port 8200 somehow in any way might also allow to query data and might be required to sepcially be configured to only allow data in, not out.

Furthermore, is the APM Server protected from invalid data input from an attacker (or do I somehow to implement a further input-sanitization layer/proxy or have to configure this somehow?).

Any advice would be very much appreciated, how to secure the APM server port 8200. Thanks very much!

The APM Server currently supports a couple of different endpoints, mainly a

  • events Intake API for ingesting data from APM agents to Elasticsearch via the APM Server. It contains a dedicated endpoint for uploading RUM events.
  • sourcemap upload API for uploading sourcemaps that then can be applied to ingested RUM events
  • agent configuration API to retrieve some configuration settings for the agents. It contains a dedicated endpoint for RUM agents.
  • endpoint for retrieving some information about the running APM Server.

The Events Intake API and sourcemap upload API are ingesting data. The agent configuration API is fetching data and returning them back. The retrieved data are configuration settings data for the agents, e.g. sampling rate for a service. Read more about how to configure and enable/disable the agent configuration API and Kibana.

For securing the communication between APM Agents and the Server, you can configure a secret token. Be aware though, that a secret token will not be applied for any of the RUM endpoints, as there is no way of preventing such a token from being public. The RUM endpoints can be enabled/disabled via configuration.
For the events Intake API RUM endpoint the APM server uses some basic rate limiting. Depending on your use case and requirements it might make sense to put proxies or more advanced rate limiters upfront the APM Server.

The docs contain a section describing how to Secure APM Server, which also includes pointers about securing the communication between the APM Server and Elasticsearch. It is important to also secure other Elastic stack components, securing an Elasticsearch cluster and securing Kibana might help as pointers on how to do that.

2 Likes

Hello Silvia,

thank you so much for your help!

Thanks and best regards.