Skip to content

AWS Elasticsearch domains do not have EnforceHTTPS enabled

Description

Amazon Elasticsearch Service (Amazon ES) allows you to build applications without setting up and maintaining your own search celuster on Amazon EC2. Amazon ES allows you to configure your domains to require that all traffic be submitted over HTTPS. This ensures communications between your clients and your domain are encrypted.

We recommend you configure the minimum required TLS version to accept. This option is a useful additional security control to ensure your clients are not misconfigured.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Elasticsearch console.
  3. Open a domain.
  4. Select Actions > Modify encryptions
  5. Select Require HTTPS for all traffic to the domain.
  6. Click Submit.

Fix - Buildtime

CloudFormation

Resource: AWS::Elasticsearch::Domain
Argument: Properties.DomainEndpointOptions.EnforceHTTPS

Resources:
  Resource0:
    Type: 'AWS::Elasticsearch::Domain'
    Properties:
        ...
      DomainEndpointOptions:
+       EnforceHTTPS: True