Ensure Elasticsearch Domain enforces HTTPS

ID

elasticsearch_domain_enforce_https

Severity

high

Vendor

AWS

Resource

Elasticsearch

Tags

reachable

Description

Domains are clusters with the settings, instance types, instance counts, and storage resources that you specify. Those domains can be configured to require that all traffic be submitted over HTTPS. This ensures communications between your clients and your domain are encrypted.

Enforcing HTTPS helps to prevent man-in-the-middle attacks.

Examples

CloudFormation

{
  "Resources": {
    "MyDomain": { (1)
      "Type": "AWS::Elasticsearch::Domain"
    }
  }
}
1 Missing DomainEndpointOptions/EnforceHTTPS property means HTTPS is NOT being enforced. 
Resources:
  MyDomain: (1)
    Type: 'AWS::Elasticsearch::Domain'
1 Missing DomainEndpointOptions/EnforceHTTPS property means HTTPS is NOT being enforced.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyDomain": {
      "Type": "AWS::Elasticsearch::Domain",
      "Properties": {
        "DomainEndpointOptions": {
          "EnforceHTTPS": true (1)
        }
      }
    }
  }
}
1 EnforceHTTPS set to true means HTTPS is being enforced. 
Resources:
  MyDomain:
    Type: 'AWS::Elasticsearch::Domain'
    Properties:
      DomainEndpointOptions:
        EnforceHTTPS: True (1)
1 EnforceHTTPS set to true means HTTPS is being enforced.

Runtime

AWS Console

To change the policy go to the Amazon Management Console:

  • Open the AWS ES console.

  • Select your desired domain.

  • Select Actions > Modify encryptions.

  • Select Require HTTPS for all traffic to the domain.

  • Click Submit.