Data protection

OpenSearch (Elasticsearch) domain does not require TLS 1.2 encryption

Risk Level

Informational (4)

Platform(s)

Description

Amazon OpenSearch Service (Amazon Elasticsearch Service successor) is a managed service that simplifies the deployment, operation, and scaling of OpenSearch clusters in AWS Cloud. It was found that the OpenSearch (Elasticsearch) domain {AwsElasticSearch} does not accept only secured HTTPS connection or TLS version 1.2. Allowing only HTTPS connections can help against attacks such as person-in-the-middle, eavesdrop or manipulating network traffic. TLS 1.2 also contains enhancements over previous TLS versions.
  • Recommended Mitigation

    It is recommended to allow only encrypted HTTPS connections and set 'TLSSecurityPolicy' to Policy-Min-TLS-1-2-2019-07 at the OpenSearch (Elasticsearch) domain {AwsElasticSearch}.