You can protect the whole Elasticsearh REST API with a single HTTP Basic Auth login with a single rule, yes.
readonlyrest:
# audit_collector: true
access_control_rules:
- name: "Global Access"
auth_key: "elastic:changeme"
verbosity: "error"
The verbosity rule is to only log requests with bad credentials.
Optionally, you can enable the audit collector to log malicious requests into an index, so you can make graphs in Kibana.
Remember though that this is a very weak solution, until you also use SSL, which conveniently, ROR supports.