Use the Conformity Knowledge Base AI to help improve your Cloud Posture

TLS Security Policy Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ES-008

Ensure that your Amazon OpenSearch domains are configured with the latest predefined TLS security policy in order to follow security best practices, meet compliance requirements, and protect your domains from potential exploits that can target flaws in the old versions of the TLS protocol.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The Transport Layer Security (TLS) protocol addresses network security issues such as tampering and eavesdropping between a client and a server. Using a security policy with old and deprecated TLS protocol versions can increase opportunities for malicious activities such as hacking, Man-in-the-Middle (MITM) and downgrade attacks. By updating the security policy associated with your Amazon OpenSearch domains, you can disable older and insecure versions of the TLS protocol.

Note: This conformity rule assumes that [in-transit encryption](https://link-to-it-encryption) is already enabled for your Amazon OpenSearch domains.


Audit

To determine the TLS security policy version configured for your Amazon OpenSearch domains, perform the following actions:

Note: Getting the TLS security policy version configured for your Amazon OpenSearch domains via the AWS Management Console is not currently supported.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to determine the version of the TLS security policy configured for the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.DomainEndpointOptions.TLSSecurityPolicy'

04 The command output should return the name (version) of the implemented TLS security policy:

"Policy-Min-TLS-1-0-2019-07"

If the name (version) of the TLS security policy returned by the describe-elasticsearch-domain command output is different than "Policy-Min-TLS-1-2-2019-07" (i.e. the policy that implements TLS 1.2), the selected Amazon OpenSearch domain is not using the latest TLS security policy version, therefore the communication between the OpenSearch domain and its clients is vulnerable to attacks.

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To update the TLS security policy configured for your Amazon ElasticSearch domains to the latest version (i.e. Policy-Min-TLS-1-2-2019-07), perform the following actions:

Note: Updating the TLS security policy version for your Amazon OpenSearch domains using the AWS Management Console is not currently supported.

Using AWS CLI

01 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter, to update the TLS security policy version to Policy-Min-TLS-1-2-2019-07 (which supports TLS v1.2) for the selected OpenSearch domain:

aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --domain-endpoint-options EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07

02 The command output should return the configuration information available for the reconfigured domain:

{
	"DomainConfig": {
		"ElasticsearchVersion": {
			"Options": "7.9",
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"ElasticsearchClusterConfig": {
			"Options": {
				"InstanceType": "t3.small.elasticsearch",
				"InstanceCount": 3,
				"DedicatedMasterEnabled": false,
				"ZoneAwarenessEnabled": false,
				"WarmEnabled": false,
				"ColdStorageOptions": {
					"Enabled": false
				}
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"EBSOptions": {
			"Options": {
				"EBSEnabled": true,
				"VolumeType": "gp2",
				"VolumeSize": 15
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"SnapshotOptions": {
			"Options": {
				"AutomatedSnapshotStartHour": 0
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T18:01:14.941000+00:00",
				"UpdateVersion": 5,
				"State": "Active",
				"PendingDeletion": false
			}
		},

		...

		"VPCOptions": {
			"Options": {},
			"Status": {
				"CreationDate": "2022-01-03T19:09:03.386000+00:00",
				"UpdateDate": "2022-01-03T19:09:03.386000+00:00",
				"UpdateVersion": 9,
				"State": "Active",
				"PendingDeletion": false
			}
		},
		"DomainEndpointOptions": {
			"Options": {
				"EnforceHTTPS": true,
				"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07",
				"CustomEndpointEnabled": false
			},
			"Status": {
				"CreationDate": "2022-01-04T11:10:20.249000+00:00",
				"UpdateDate": "2022-01-04T18:34:44.420000+00:00",
				"UpdateVersion": 15,
				"State": "Processing",
				"PendingDeletion": false
			}
		},
		"EncryptionAtRestOptions": {
			"Options": {
				"Enabled": true,
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T19:46:37.481000+00:00",
				"UpdateVersion": 18,
				"State": "Processing",
				"PendingDeletion": false
			}
		},
		"NodeToNodeEncryptionOptions": {
			"Options": {
				"Enabled": true
			},
			"Status": {
				"CreationDate": "2022-01-03T17:49:09.216000+00:00",
				"UpdateDate": "2022-01-03T19:09:03.288000+00:00",
				"UpdateVersion": 9,
				"State": "Processing",
				"PendingDeletion": false
			}
		}
	}
}

03 Repeat steps no. 1 and 2 update the TLS security policy version for other Amazon OpenSearch domains available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 13, 2017