Connections to Elasticsearch domains should be encrypted using TLS 1.2¶

This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.

How to fix¶

Attribute domain_endpoint_options[0].tls_security_policy of aws_elasticsearch_domain must be "Policy-Min-TLS-1-2-2019-07".

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_elasticsearch_domain.

resource "aws_elasticsearch_domain" "this" {
  advanced_security_options {
    enabled                        = true
    internal_user_database_enabled = true

    master_user_options {
      master_user_name     = "admin"
      master_user_password = "ChangeMe123!"
    }
  }

  cognito_options {
    enabled          = true
    identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
    role_arn         = "arn:aws:iam::123456789012:role/CognitoAccessForAmazonES"
    user_pool_id     = "us-east-1_Example"
  }

  domain_name = "pofix-example"

  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/domains/example"
    log_type                 = "AUDIT_LOGS"
  }

  vpc_options {
    subnet_ids = ["subnet-12345abc"]
  }

  domain_endpoint_options {
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: es_domain_encrypted_using_tls_1_2

• Checkov Check: CKV_AWS_228

• Powerpipe Control: aws_compliance.control.es_domain_encrypted_using_tls_1_2