AWS Config Rule: OpenSearch HTTPS Required
OPENSEARCH_HTTPS_REQUIRED
Ryan Ware
Last Update a month ago
Description: Checks whether connections to OpenSearch domains are using HTTPS. The rule is NON_COMPLIANT if the Amazon OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in 'tlsPolicies'.
Trigger type: Configuration changes
AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Europe (Spain), China (Ningxia), Europe (Zurich) Region
How to Resolve Manually
Note : If you have Fine-Grained Access Control Enabled for your OpenSearch Domain - you won't need to worry about this AWS Config Rule as the enforcement of HTTPS connections is on by default and cannot be changed.
If you do not have this enable for your OpenSearch Domain, you will need to review your Encryption Settings for your chosen OpenSearch Domain.
In the above configuration example, we can see that HTTPS only traffic requests in enable and also TLS Encryption is enable node to node.
Ensure that these are set for your OpenSearch Domain and you will be COMPLIANT with this AWS Config Rule.
How to resolve with StackZone
StackZone can remediate this AWS Config Rule for you by allowing StackZone to automatically enable the 'Require HTTPS for all traffic to the domain' option in the OpenSearch Cluster.
To enable this remediation, head on over to Provisioning > Baseline Services > AWS Config Rules Regional > PCI-DSS and enable OpenSearch HTTPS Required Remediation
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
