Ensure that your Amazon OpenSearch domains are configured to require that all traffic be submitted over HTTPS in order to ensure that the communication between domains and clients is encrypted using SSL/TLS. This prevents potential attackers from intercepting the traffic and keep the OpenSearch domain's data secure.
This rule can help you work with the AWS Well-Architected Framework.
When working with production and sensitive data, it is strongly recommended to enforce in-transit encryption in order to protect your OpenSearch data from unauthorized access and fulfill compliance requirements for data encryption within your organization. For example, a compliance requirement is to protect sensitive data that could potentially identify a specific individual such as Personally Identifiable Information (PII), usually used in Financial Services, Healthcare and Telecommunications sectors.
Audit
To determine if your Amazon OpenSearch domains are configured to enforce in-transit encryption, perform the following operations:
Remediation / Resolution
When in-transit encryption is enabled, your Amazon OpenSearch domains (clusters) accept only requests over HTTPS. To enable in-transit encryption for your OpenSearch domains, perform the following operations:
References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Data protection in Amazon OpenSearch Service
- AWS Announcements
- Amazon Elasticsearch Service provides option to mandate HTTPS
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain-config