Enforce Https | Vulnerability Database

Elasticsearch doesn’t enforce HTTPS traffic.

Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enforce the use of HTTPS for ElasticSearch

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


Resources:
  GoodExample:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainEndpointOptions:
        EnforceHTTPS: true
      DomainName: test
      EBSOptions:
        EBSEnabled: true
        Iops: "0"
        VolumeSize: "20"
        VolumeType: gp2
      ElasticsearchClusterConfig:
        DedicatedMasterCount: "3"
        DedicatedMasterEnabled: true
        DedicatedMasterType: m3.medium.elasticsearch
        InstanceCount: "2"
        InstanceType: m3.medium.elasticsearch
        ZoneAwarenessEnabled: true
      ElasticsearchVersion: "7.10"
      EncryptionAtRestOptions:
        Enabled: true
        KmsKeyId: alias/kmskey

Enforce the use of HTTPS for ElasticSearch

1
2
3
4
5
6
7


resource "aws_elasticsearch_domain" "good_example" {
  domain_name = "domain-foo"

  domain_endpoint_options {
    enforce_https = true
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https