Detections
Analytics

Ensure HTTPS-only is enforced for AWS ElasticSearch Domain

MEDIUM

Description

HTTPS using TLS can be required in OpenSearch (formerly named ElastiSearch) for node-to-node encryption while data is in transit. Encryption is considered best practice and can help protect sensitive data. For more information, see the AWS Documentation.
References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ntn.html

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the OpenSearch Console.
  2. Under Managed clusters in the navigation bar, select Domains.
  3. Choose the domain to edit, and under the Actions drop-down, select Edit security configuration.
  4. Under Encryption, check the box for Require HTTPS for all traffic to the domain.
  5. Select Save changes.

In Terraform -

  1. In the aws_elasticsearch_domain resource, set the domain_endpoint_options.enforce_https to true.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https

Policy Details

Rule Reference ID: AC_AWS_0115
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_elasticsearch_domain
Resource Category: Analytics
Resource Type: ElasticSearch Service

Frameworks