Profile Applicability:

  • Level 1

Description:

Amazon Elasticsearch Service (Amazon OpenSearch Service) provides a scalable search and analytics service. It supports a variety of use cases, such as log analysis and application search. HTTPS enforcement ensures that all communications with Amazon Elasticsearch/OpenSearch service domains occur over a secure, encrypted connection, preventing unauthorized access and protecting data in transit.

Enforcing HTTPS on an Elasticsearch/OpenSearch domain ensures that all connections to the domain are encrypted, providing an added layer of security for your data as it is transferred over the network.

Rationale:

  • Security: Enforcing HTTPS ensures that all communication between clients and the Elasticsearch/OpenSearch domains is encrypted, protecting data from man-in-the-middle (MITM) attacks and ensuring data confidentiality.

  • Data Integrity: Encrypted connections prevent data from being tampered with while in transit, ensuring that the data is not modified or corrupted during transmission.

  • Compliance: Many security and compliance frameworks (such as PCI-DSS, SOC 2, HIPAA) require that data in transit be encrypted. Enforcing HTTPS helps meet these requirements and strengthens the security posture of the environment.

Impact:

Pros:

  • Increased Security: By enforcing HTTPS, sensitive data is encrypted during transit, which protects against unauthorized access and attacks.

  • Improved Compliance: Helps meet regulatory and compliance requirements regarding data encryption in transit.

  • Data Integrity: Ensures that the data is not altered during transit, maintaining its integrity.

Cons:

  • Performance Impact: Encrypting data in transit may slightly impact the performance due to the overhead of establishing secure connections.

  • Client Compatibility: If certain clients or services are not configured to use HTTPS, they might face connectivity issues unless updated.

Default Value:

By default, Amazon Elasticsearch/OpenSearch domains allow both HTTP and HTTPS traffic. However, HTTPS enforcement is disabled by default, and you need to explicitly configure it.

Pre-requisite:

  • AWS IAM Permissions:

    • es:DescribeDomain

    • es:UpdateDomainConfig

  • AWS CLI installed and configured.

  • Amazon Elasticsearch/OpenSearch Domain already created.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elasticsearch Service (or Amazon OpenSearch Service) under Services.

  3. In the Elasticsearch/OpenSearch Console, select the domain you want to check.

  4. Under Domain details, check the "Endpoint" section. Ensure the domain is using an HTTPS endpoint (indicated by https://).

  5. Under Domain Configuration, look for the “Enforce HTTPS” setting.

    • If Enforce HTTPS is enabled, it will be listed as “Enabled.”

    • If it is not enabled, you need to modify the settings.

Using AWS CLI:

To check if HTTPS enforcement is enabled for a domain, run:

aws es describe-elasticsearch-domain-config --domain-name <domain-name> --query "DomainConfig.EndpointOptions.EnforceHTTPS"

The result should show "true" if HTTPS enforcement is enabled or "false" if it is not enabled.


Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Elasticsearch Service (or Amazon OpenSearch Service).

  3. Select the Elasticsearch/OpenSearch domain you want to configure.

  4. In the Domain details section, locate "Enforce HTTPS" under the Endpoint settings.

  5. Click Edit, then toggle Enforce HTTPS to Enabled.

  6. Save the changes to apply HTTPS enforcement.

Using AWS CLI:

To enable HTTPS enforcement for a specific domain, run:

aws es update-elasticsearch-domain-config \

  --domain-name <domain-name> \

  --elasticsearch-cluster-config "EnforceHTTPS=true"

Verify that HTTPS enforcement has been applied by running:

aws es describe-elasticsearch-domain-config --domain-name <domain-name> --query "DomainConfig.EndpointOptions.EnforceHTTPS"

Backout Plan:

If enforcing HTTPS causes issues (e.g., incompatible clients or connectivity problems):

Identify the affected Elasticsearch/OpenSearch domain and review the configuration.

Revert the changes by disabling HTTPS enforcement:

aws es update-elasticsearch-domain-config \

  --domain-name <domain-name> \

  --elasticsearch-cluster-config "EnforceHTTPS=false"

Monitor the domain to ensure that communication is restored over HTTP if needed, though this will reduce security.

Note:

  • Client Compatibility: Ensure that all clients accessing the Elasticsearch/OpenSearch service are configured to use HTTPS to prevent any service disruption.

  • Network Configuration: If you are using AWS VPC endpoints, ensure that the HTTPS endpoint is reachable from the VPC for private communication.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.