Ensure that your Amazon OpenSearch domains are configured with the latest predefined TLS security policy in order to follow security best practices, meet compliance requirements, and protect your domains from potential exploits that can target flaws in the old versions of the TLS protocol.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
The Transport Layer Security (TLS) protocol addresses network security issues such as tampering and eavesdropping between a client and a server. Using a security policy with old and deprecated TLS protocol versions can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks. By updating the security policy associated with your Amazon OpenSearch domains, you can disable older and insecure versions of the TLS protocol.
Note: This conformity rule assumes that [in-transit encryption](https://link-to-it-encryption) is already enabled for your Amazon OpenSearch domains.
Audit
To determine the TLS security policy version configured for your Amazon OpenSearch domains, perform the following actions:
Note: Getting the TLS security policy version configured for your Amazon OpenSearch domains via the AWS Management Console is not currently supported.Remediation / Resolution
To update the TLS security policy configured for your Amazon ElasticSearch domains to the latest version (i.e. Policy-Min-TLS-1-2-2019-07), perform the following actions:
Note: Updating the TLS security policy version for your Amazon OpenSearch domains using the AWS Management Console is not currently supported.References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Data protection in Amazon OpenSearch Service
- Amazon OpenSearch Service
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain-config