Elasticsearch domain endpoint is using outdated TLS policy.
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
Impact
Outdated SSL policies increase exposure to known vulnerabilities
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Use the most modern TLS/SSL policies available
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Resources:
GoodExample:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: 'test'
ElasticsearchVersion: '7.10'
DomainEndpointOptions:
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
EncryptionAtRestOptions:
Enabled: true
KmsKeyId: alias/kmskey
ElasticsearchClusterConfig:
DedicatedMasterEnabled: true
InstanceCount: '2'
ZoneAwarenessEnabled: true
InstanceType: 'm3.medium.elasticsearch'
DedicatedMasterType: 'm3.medium.elasticsearch'
DedicatedMasterCount: '3'
EBSOptions:
EBSEnabled: true
Iops: '0'
VolumeSize: '20'
VolumeType: 'gp2'
|
Use the most modern TLS/SSL policies available
1
2
3
4
5
6
7
8
9
|
resource "aws_elasticsearch_domain" "good_example" {
domain_name = "domain-foo"
domain_endpoint_options {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}
}
|
Links