OpenSearch domains should use HTTPS
OpenSearch domains often store sensitive application logs, user activity data, and business analytics. Allowing unencrypted HTTP connections exposes query payloads, index contents, and authentication credentials to network-level interception. This risk is especially acute in shared VPC environments or when domains have public endpoints.
Enforcing HTTPS with TLS 1.2 or higher eliminates downgrade attacks and ensures data in transit between clients and the OpenSearch endpoint cannot be read or tampered with. Older TLS versions (1.0, 1.1) have known vulnerabilities like BEAST and POODLE that make them unsuitable for production workloads.
Retrofit consideration
Enabling enforce_https on an existing domain triggers a blue/green deployment. Clients using HTTP URLs will break immediately. Verify all application connection strings use HTTPS before applying.
Implementation
Choose the approach that matches how you manage Terraform.
Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.
module "opensearch" {
source = "pcidss.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "hipaa.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "hipaasecurity2003.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "nistcsfv11.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
module "opensearch" {
source = "pcidssv321.compliance.tf/terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_endpoint_options = {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
}
If you use terraform-aws-modules/opensearch/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
module "opensearch" {
source = "terraform-aws-modules/opensearch/aws"
version = ">=2.0.0,<3.0.0"
advanced_security_options = {
enabled = true
internal_user_database_enabled = true
master_user_options = {
master_user_name = "admin"
master_user_password = "P0fix-Test-2026!"
}
}
auto_tune_options = {
desired_state = "DISABLED"
}
cluster_config = {
dedicated_master_enabled = false
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
domain_name = "abc123"
ebs_options = {
ebs_enabled = true
volume_size = 20
volume_type = "gp3"
}
engine_version = "OpenSearch_2.11"
domain_endpoint_options = {
enforce_https = true
}
}
Use AWS provider resources directly. See docs for the resources involved: aws_opensearch_domain.
resource "aws_opensearch_domain" "this" {
advanced_security_options {
enabled = true
internal_user_database_enabled = true
master_user_options {
master_user_name = "admin"
master_user_password = "ChangeMe123!"
}
}
auto_tune_options {
desired_state = "DISABLED"
}
cluster_config {
instance_count = 1
instance_type = "t3.small.search"
zone_awareness_enabled = false
}
cognito_options {
enabled = true
identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
role_arn = "arn:aws:iam::123456789012:role/example-role"
user_pool_id = "us-east-1_AbCdEfGhI"
}
domain_name = "pofix-abc123"
ebs_options {
ebs_enabled = true
volume_size = 10
volume_type = "gp3"
}
encrypt_at_rest {
enabled = true
}
engine_version = "OpenSearch_2.11"
log_publishing_options {
cloudwatch_log_group_arn = local.es_log_group_arn
log_type = "AUDIT_LOGS"
}
log_publishing_options {
cloudwatch_log_group_arn = local.es_log_group_arn
log_type = "ES_APPLICATION_LOGS"
}
log_publishing_options {
cloudwatch_log_group_arn = local.es_log_group_arn
log_type = "SEARCH_SLOW_LOGS"
}
log_publishing_options {
cloudwatch_log_group_arn = local.es_log_group_arn
log_type = "INDEX_SLOW_LOGS"
}
node_to_node_encryption {
enabled = true
}
vpc_options {
security_group_ids = ["sg-12345678"]
subnet_ids = ["subnet-12345678"]
}
domain_endpoint_options {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
}
What this control checks
The domain_endpoint_options block in aws_opensearch_domain must set enforce_https to true and tls_security_policy to a policy requiring TLS 1.2 or higher, such as Policy-Min-TLS-1-2-2019-07 or Policy-Min-TLS-1-2-PFS-2023-10. Omitting enforce_https is treated as non-compliant; it must be set explicitly. Setting enforce_https = true while leaving tls_security_policy unset, or pointing it at a policy that permits TLS 1.0 (e.g., Policy-Min-TLS-1-0-2019-07), also fails. Both attributes must be present and correct in domain_endpoint_options to pass.
Common pitfalls
Default TLS policy allows TLS 1.0
Setting
enforce_https = truewithout specifyingtls_security_policyis a silent compliance gap. The domain may fall back to a policy that permits TLS 1.0. Always settls_security_policy = "Policy-Min-TLS-1-2-2019-07"or newer explicitly.Blue/green deployment on existing domains
Changing
enforce_httpsortls_security_policyon a runningaws_opensearch_domaintriggers a blue/green deployment. Depending on cluster size, this can take 15 to 60 minutes. Plan a maintenance window and watch cluster health throughout the update.Legacy aws_elasticsearch_domain resource
Use
aws_opensearch_domain, notaws_elasticsearch_domain, for OpenSearch clusters. The samedomain_endpoint_optionsblock applies to both, but policy checks targeting the OpenSearch resource type won't pick up the legacy resource. Migrate when possible.Custom endpoint certificates require HTTPS
Custom endpoints require
enforce_https = trueto function at all, but a clean Terraform plan doesn't mean TLS is working end-to-end. Ifcustom_endpoint_certificate_arnpoints to an expired or mismatched ACM certificate, TLS handshakes fail at the client even though this control shows as passing.
Audit evidence
The opensearch-https-required AWS Config managed rule should return COMPLIANT for all in-scope domains. Supporting evidence includes the Security configuration tab in the OpenSearch console, or aws opensearch describe-domain --domain-name <name> output confirming DomainEndpointOptions.EnforceHTTPS is true and DomainEndpointOptions.TLSSecurityPolicy is set to an approved policy.
Security Hub findings filtered to this control give auditors timestamped pass/fail records. CloudTrail UpdateDomainConfig entries show when HTTPS enforcement was enabled and who made the change.
Framework-specific interpretation
PCI DSS v4.0: TLS 1.0 and 1.1 are explicitly prohibited under PCI DSS v4.0. Requirement 4.2 mandates strong cryptography for cardholder data crossing open, public networks, and the minimum acceptable floor is TLS 1.2. OpenSearch domains in the CDE need HTTPS enforced with a compliant TLS policy to meet that bar.
HIPAA Omnibus Rule 2013: 45 CFR 164.312(e)(1) requires covered entities to guard against unauthorized access to ePHI transmitted over electronic networks. Any OpenSearch domain that ingests or indexes ePHI must enforce HTTPS. Allowing plaintext HTTP on such a domain is a direct gap against the transmission security standard.
Related controls
Elasticsearch domains should require TLS 1.2 for connections
ELB application and network load balancer listeners should use secure protocols
Tool mappings
Use these identifiers to cross-reference this control across tools, reports, and evidence.
Compliance.tf Control:
opensearch_domain_https_requiredAWS Config Managed Rule:
OPENSEARCH_HTTPS_REQUIREDCheckov Check:
CKV_AWS_83Powerpipe Control:
aws_compliance.control.opensearch_domain_https_requiredProwler Check:
opensearch_service_domains_https_communications_enforcedAWS Security Hub Control:
Opensearch.8KICS Query:
2e9e0729-66d5-4148-9d39-5e6fb4bf2a4eTrivy Check:
AWS-0046
Last reviewed: 2026-03-09