AWS Elasticsearch domain is not configured with HTTPS
Description
This policy identifies Elasticsearch domains that are not configured with HTTPS. Amazon Elasticsearch domains allow all traffic to be submitted over HTTPS, ensuring all communications between application and domain are encrypted. It is recommended to enable HTTPS so that all communication between the application and all data access goes across an encrypted communication channel to eliminate man-in-the-middle attacks.
Code Example
go
resource "aws_elasticsearch_domain" "example" {
domain_name = "example-domain"
domain_endpoint_options {
+ enforce_https = true
}
}Remediation
Terraform
- Resource: aws_elasticsearch_domain, aws_opensearch_domain
- Arguments: domain_endpoint_options
To fix this issue, you should ensure that your Elasticsearch or OpenSearch domain enforces HTTPS by setting the `enforce_https` option to `true` in the `domain_endpoint_options` block as shown below:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0136 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_83 |