TLS Security Policy Version

Risk Level: Medium (should be achieved)

Rule ID: ES-008

Ensure that your Amazon OpenSearch domains are configured with the latest predefined TLS security policy in order to follow security best practices, meet compliance requirements, and protect your domains from potential exploits that can target flaws in the old versions of the TLS protocol.

This rule can help you with the following compliance standards:

APRA
MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The Transport Layer Security (TLS) protocol addresses network security issues such as tampering and eavesdropping between a client and a server. Using a security policy with old and deprecated TLS protocol versions can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks. By updating the security policy associated with your Amazon OpenSearch domains, you can disable older and insecure versions of the TLS protocol.

Note: This conformity rule assumes that [in-transit encryption](https://link-to-it-encryption) is already enabled for your Amazon OpenSearch domains.

Audit

To determine the TLS security policy version configured for your Amazon OpenSearch domains, perform the following actions:

Note: Getting the TLS security policy version configured for your Amazon OpenSearch domains via the AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to determine the version of the TLS security policy configured for the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.DomainEndpointOptions.TLSSecurityPolicy'

04 The command output should return the name (version) of the implemented TLS security policy:

"Policy-Min-TLS-1-0-2019-07"

If the name (version) of the TLS security policy returned by the describe-elasticsearch-domain command output is different than "Policy-Min-TLS-1-2-2019-07" (i.e. the policy that implements TLS 1.2), the selected Amazon OpenSearch domain is not using the latest TLS security policy version, therefore the communication between the OpenSearch domain and its clients is vulnerable to attacks.

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the TLS security policy configured for your Amazon ElasticSearch domains to the latest version (i.e. Policy-Min-TLS-1-2-2019-07), perform the following actions:

Note: Updating the TLS security policy version for your Amazon OpenSearch domains using the AWS Management Console is not currently supported.

Using AWS CLI

01 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter, to update the TLS security policy version to Policy-Min-TLS-1-2-2019-07 (which supports TLS v1.2) for the selected OpenSearch domain:

aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --domain-endpoint-options EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07

02 The command output should return the configuration information available for the reconfigured domain:

{
	"DomainConfig": {
		"ElasticsearchVersion": {
			"Options": "7.9",
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"ElasticsearchClusterConfig": {
			"Options": {
				"InstanceType": "t3.small.elasticsearch",
				"InstanceCount": 3,
				"DedicatedMasterEnabled": false,
				"ZoneAwarenessEnabled": false,
				"WarmEnabled": false,
				"ColdStorageOptions": {
					"Enabled": false
				}
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"EBSOptions": {
			"Options": {
				"EBSEnabled": true,
				"VolumeType": "gp2",
				"VolumeSize": 15
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"SnapshotOptions": {
			"Options": {
				"AutomatedSnapshotStartHour": 0
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},

		...

		"VPCOptions": {
			"Options": {},
			"Status": {
				"CreationDate": "2022-01-03T19:09:03.386000+00:00",
				"UpdateDate": "2022-01-03T19:09:03.386000+00:00",
				"UpdateVersion": 9,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"DomainEndpointOptions": {
			"Options": {
				"EnforceHTTPS": true,
				"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07",
				"CustomEndpointEnabled": false
			},
			"Status": {
				"CreationDate": "2022-01-04T11:10:20.249000+00:00",
				"UpdateDate": "2022-01-04T18:34:44.420000+00:00",
				"UpdateVersion": 15,
				"State": "Processing",
				"PendingDeletion": false
			}
		},
		"EncryptionAtRestOptions": {
			"Options": {
				"Enabled": true,
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T19:46:37.481000+00:00",
				"UpdateVersion": 18,
				"State": "Processing",
				"PendingDeletion": false
			}
		},
		"NodeToNodeEncryptionOptions": {
			"Options": {
				"Enabled": true
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T19:09:03.288000+00:00",
				"UpdateVersion": 9,
				"State": "Processing",
				"PendingDeletion": false
			}
		}
	}
}

03 Repeat steps no. 1 and 2 update the TLS security policy version for other Amazon OpenSearch domains available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Amazon OpenSearch Service FAQs
Data protection in Amazon OpenSearch Service
Amazon OpenSearch Service

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
update-elasticsearch-domain-config

Publication date Sep 13, 2017

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

TLS Security Policy Version

Risk Level: Medium

Audit

Using AWS CLI

Remediation / Resolution

Using AWS CLI

References

Related Elasticsearch rules