Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable In-Transit Encryption

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon OpenSearch domains are configured to require that all traffic be submitted over HTTPS in order to ensure that the communication between domains and clients is encrypted using SSL/TLS. This prevents potential attackers from intercepting the traffic and keep the OpenSearch domain's data secure.

This rule can help you work with the AWS Well-Architected Framework.

Security

When working with production and sensitive data, it is strongly recommended to enforce in-transit encryption in order to protect your OpenSearch data from unauthorized access and fulfill compliance requirements for data encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare and Telecommunications sectors.


Audit

To determine if your Amazon OpenSearch domains are configured to enforce in-transit encryption, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch domain that you want to examine.

05 Select the Security configuration tab and check the Required HTTPS attribute value listed in the Encryption section. If Required HTTPS is set to No, in-transit encryption is not enabled for the selected Amazon OpenSearch domain, therefore the communication between the OpenSearch domain and its clients is not protected.

06 Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to determine if in-transit encryption is enabled for the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.DomainEndpointOptions.EnforceHTTPS'

04 The command output should return the configuration status available for in-transit encryption:

false

If the describe-elasticsearch-domain command output returns false, as shown in the output example above, in-transit encryption is not enabled for the selected Amazon OpenSearch domain (cluster).

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

When in-transit encryption is enabled, your Amazon OpenSearch domains (clusters) accept only requests over HTTPS. To enable in-transit encryption for your OpenSearch domains, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.

05 In the Encryption section, select the Require HTTPS for all traffic to the domain checkbox to enable in-transit encryption for the selected Amazon OpenSearch domain. Choose Save changes to apply the configuration changes.

06 Repeat steps no. 4 and 5 to enable in-transit encryption for other Amazon OpenSearch domains available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to enable client to cluster encryption using SSL/TLS, also known as in-transit encryption, for the selected OpenSearch domain:

aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --domain-endpoint-options EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07

02 The command output should return the configuration information available for the reconfigured domain (cluster):

{
	"DomainConfig": {
		"ElasticsearchVersion": {
			"Options": "7.9",
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"ElasticsearchClusterConfig": {
			"Options": {
				"InstanceType": "t3.small.elasticsearch",
				"InstanceCount": 3,
				"DedicatedMasterEnabled": false,
				"ZoneAwarenessEnabled": false,
				"WarmEnabled": false,
				"ColdStorageOptions": {
					"Enabled": false
				}
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"EBSOptions": {
			"Options": {
				"EBSEnabled": true,
				"VolumeType": "gp2",
				"VolumeSize": 15
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"SnapshotOptions": {
			"Options": {
				"AutomatedSnapshotStartHour": 0
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},

		...

		"VPCOptions": {
			"Options": {},
			"Status": {
				"CreationDate": "2022-01-03T19:09:03.386000+00:00",
				"UpdateDate": "2022-01-03T19:09:03.386000+00:00",
				"UpdateVersion": 9,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"DomainEndpointOptions": {
			"Options": {
				"EnforceHTTPS": true,
				"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07",
				"CustomEndpointEnabled": false
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T20:42:02.290000+00:00",
				"UpdateVersion": 26,
				"State": "Processing",
				"PendingDeletion": false
			}
		},
		"EncryptionAtRestOptions": {
			"Options": {
				"Enabled": true,
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T19:46:37.481000+00:00",
				"UpdateVersion": 18,
				"State": "Processing",
				"PendingDeletion": false
			}
		},
		"NodeToNodeEncryptionOptions": {
			"Options": {
				"Enabled": true
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T19:09:03.288000+00:00",
				"UpdateVersion": 9,
				"State": "Processing",
				"PendingDeletion": false
			}
		}
	}
}

03 Repeat steps no. 1 and 2 to enable in-transit encryption for other Amazon OpenSearch domains available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date May 1, 2023