Ensure latest TLS version is used for AWS ElasticSearch Nodes

MEDIUM

Description

AWS ElasticSearch Node is not configured to use the latest TLS version. Using the latest version of TLS can help keep data in-transit protected from man-in-the-middle and similar attacks.

Remediation

To configure the TLS version used for an OpenSearch domain, see the AWS documentation (below). This is done via the CLI and is not available in the Console.

In Terraform -

In the aws_elasticsearch_domain resource, set the domain_endpoint_options.tls_security_policy field enabled accordingly.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/infrastructure-security.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#tls_security_policy

Policy Details

Rule Reference ID: AC_AWS_0117

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_elasticsearch_domain

Resource Category: Analytics

Resource Type: ElasticSearch Service

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0