Description
This policy ensures that all traffic to Amazon Elasticsearch Service (ES) domains is encrypted using HTTPS. This helps to protect the confidentiality of data in transit and prevent man-in-the-middle attacks.
Rationale
HTTPS is a secure protocol that encrypts all data sent between a client and a server. This prevents unauthorized parties from viewing or tampering with the data. Enforcing HTTPS for all traffic to ES domains helps to protect the confidentiality of data, such as user credentials and search queries.
Impact
Enabling enforce HTTPS for ES domains will have the following impact:
- All traffic to ES domains will be encrypted using HTTPS.
- This will help to protect the confidentiality of data in transit.
- It will also help to prevent man-in-the-middle attacks.
Default Value
By default, AWS recommends that you enable enforce HTTPS for all ES domains.
Prerequisites
To implement this policy, you will need the following:
- Access to the AWS Management Console or the AWS CLI.
- The knowledge of how to modify ES domain settings.
Remediation Steps
To remediate this policy, you can follow these steps:
- Log in to the AWS Management Console.
- Go to the Amazon Elasticsearch Service page.
- Select the domain that you want to modify.
- Click the Actions menu and select Modify encryptions.
- Select the Require HTTPS for all traffic to the domain checkbox.
- Click Submit.
Test Plan
To test the effectiveness of this policy, you can follow these steps:
- Use a tool such as Wireshark to capture network traffic.
- Send a request to the ES domain over HTTP.
- Verify that the traffic is encrypted using HTTPS.
Implementation Plan
To implement this policy, you can follow these steps:
- Create a new AWS IAM policy that allows users to modify ES domain settings.
- Attach the policy to the IAM users or roles that need to be able to implement this policy.
- Update the ES domain settings to require HTTPS for all traffic.
AWS CLI Process
To implement this policy using the AWS CLI, you can follow these steps:
- Run the following command to create a new IAM policy:
aws iam create-policy --policy-name enforce-https-for-es-domains --policy-document file://enforce-https-for-es-domains.json
- Run the following command to attach the policy to an IAM user or role:
aws iam attach-policy --policy-arn arn:aws:iam::<account-id>:policy/enforce-https-for-es-domains --user-name <user-name>
- Run the following command to update the ES domain settings to require HTTPS for all traffic:
aws es modify-elasticsearch-domain --domain-name <domain-name> --enforce-https true
Using AWS GUI
To implement this policy using the AWS GUI, you can follow these steps:
- Go to the AWS Management Console.
- Go to the IAM page.
- Click the Policies tab.
- Click Create Policy.
- Select the JSON tab.
- Paste the following JSON code into the Policy Document field:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "es:ModifyElasticsearchDomain", "Resource": "*" } ] }
- Click Review Policy.
- Enter a name for the policy and click Create.
- Go to the Elasticsearch Service page.
- Select the domain that you want to modify.
- Click the Actions menu and select Modify encryptions.
- Select the Require HTTPS for all traffic to the domain checkbox.
- Click Submit.
Backout Plan
To back out of this policy, you can follow these steps:
- Disable enforce HTTPS for the ES domain.
- Remove the IAM policy that allows users to modify ES domain settings.
Note:
This is a security best practice to ensure that all communications between your clients and your Amazon Elasticsearch Service (ES) domain are encrypted.
Reference:
- Amazon Elasticsearch Service provides option to mandate HTTPS: https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-elasticsearch-service-provides-option-to-mandate-https/
- Ensure AWS Elasticsearch domains have EnforceHTTPS enabled: https://docs.bridgecrew.io/docs/elasticsearch_6
Section 2: Tags and Keywords
- Tags:
- security
- encryption
- HTTPS
- TLS
- Amazon Elasticsearch Service (ES)
- Keywords:
- enforce HTTPS
- require HTTPS
- encrypt traffic
- secure communications