Secure your search server
Atlassian strongly recommends you secure access to your remote search server instance with a username and password, and a minimum of basic HTTP authentication. Bitbucket also supports Amazon’s request signing.
Secure Amazon OpenSearch Service with Amazon's request signing
AWS request signing allows you to use Amazon OpenSearch Service with Bitbucket. This will allow you to secure your Amazon OpenSearch Service cluster to only allow requests from the IAM user that the node Bitbucket is running on inside of AWS EC2 has. To use Amazon OpenSearch Service you must set the AWS region in the bitbucket.properties
file to enable request signing.
plugin.search.config.aws.region=
Secure OpenSearch with OpenSearch's security plugin
For instructions on how to configure the OpenSearch security plugin, see the page Install and configure a remote OpenSearch server - Step 3: Secure OpenSearch. The OpenSearch security plugin needs to be installed on every node in the cluster.
Secure Elasticsearch with Atlassian's Buckler plugin
For instructions on how to configure Buckler, see the page Install and configure a remote Elasticsearch server - Step 3: Secure Elasticsearch. Buckler needs to be installed on every node in the cluster.
Secure Elasticsearch with Elastic's Shield plugin
Bitbucket also supports authentication to Elasticsearch through other plugins that provide basic authentication, like Elastic's Shield plugin. This plugin isn't directly supported by Atlassian, but Bitbucket can still connect to Elasticsearch secured by the Shield plugin if basic authentication is configured.
Secure Elasticsearch with Elastic's IP filtering
You can also secure the connection between Elasticsearch and Bitbucket by configuring IP filtering.