OpenSearch Domain Has HTTPS Enforcement Enabled

Overview

This check verifies that your Amazon OpenSearch Service domains require HTTPS for all incoming traffic. When HTTPS is not enforced, data can travel over unencrypted HTTP connections, exposing it to potential interception.

Risk

Without HTTPS enforcement, sensitive data sent to and from your OpenSearch domain travels in plain text. This includes:

• Search queries and results - May contain confidential business data
• Authentication credentials - Usernames, passwords, or API keys
• Session tokens - Could allow attackers to hijack user sessions

Attackers on the same network could intercept this traffic, steal credentials, or modify requests and responses without detection.

Severity: High

Remediation Steps

Prerequisites

• Access to the AWS Console with permissions to modify OpenSearch domains, OR
• AWS CLI installed and configured with appropriate credentials

Required IAM permissions

You need the following IAM permissions:

• es:UpdateDomainConfig
• es:DescribeDomain (for verification)

Example IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:UpdateDomainConfig",
        "es:DescribeDomain"
      ],
      "Resource": "arn:aws:es:us-east-1:*:domain/*"
    }
  ]
}

AWS Console Method

1. Open the Amazon OpenSearch Service console
2. In the left navigation, click Domains
3. Click on the domain name that needs remediation
4. Click Actions in the top right, then select Edit security configuration
5. Under Domain endpoint options, check the box for Require HTTPS for all traffic to the domain
6. (Recommended) Set TLS security policy to Policy-Min-TLS-1-2-2019-07 or newer
7. Click Save changes

Note: Changes may take 15-30 minutes to apply. The domain status will show "Processing" during this time.

AWS CLI (optional)

Run the following command to enable HTTPS enforcement:

aws opensearch update-domain-config \
  --domain-name <your-domain-name> \
  --domain-endpoint-options "EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07" \
  --region us-east-1

Replace <your-domain-name> with your actual OpenSearch domain name.

Example:

aws opensearch update-domain-config \
  --domain-name my-search-domain \
  --domain-endpoint-options "EnforceHTTPS=true,TLSSecurityPolicy=Policy-Min-TLS-1-2-2019-07" \
  --region us-east-1

To verify the change was applied:

aws opensearch describe-domain \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --query "DomainStatus.DomainEndpointOptions"

Expected output:

{
    "EnforceHTTPS": true,
    "TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
}

CloudFormation (optional)

Use the following CloudFormation template to create an OpenSearch domain with HTTPS enforcement enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with HTTPS enforcement enabled

Parameters:
  DomainName:
    Type: String
    Description: Name of the OpenSearch domain
    Default: my-opensearch-domain
    AllowedPattern: '[a-z][a-z0-9\\-]+'
    MinLength: 3
    MaxLength: 28

Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: !Ref DomainName
      EngineVersion: OpenSearch_2.11
      ClusterConfig:
        InstanceType: t3.small.search
        InstanceCount: 1
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp3
        VolumeSize: 10
      DomainEndpointOptions:
        EnforceHTTPS: true
        TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
      EncryptionAtRestOptions:
        Enabled: true
      NodeToNodeEncryptionOptions:
        Enabled: true
      AccessPolicies:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'es:*'
            Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*'

Outputs:
  DomainEndpoint:
    Description: The HTTPS endpoint for the OpenSearch domain
    Value: !GetAtt OpenSearchDomain.DomainEndpoint
  DomainArn:
    Description: The ARN of the OpenSearch domain
    Value: !GetAtt OpenSearchDomain.Arn

To update an existing domain, add or modify the DomainEndpointOptions block in your existing CloudFormation template:

DomainEndpointOptions:
  EnforceHTTPS: true
  TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07

Terraform (optional)

Use the following Terraform configuration to create an OpenSearch domain with HTTPS enforcement:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "domain_name" {
  description = "Name of the OpenSearch domain"
  type        = string
  default     = "my-opensearch-domain"
}

resource "aws_opensearch_domain" "example" {
  domain_name    = var.domain_name
  engine_version = "OpenSearch_2.11"

  cluster_config {
    instance_type  = "t3.small.search"
    instance_count = 1
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "gp3"
    volume_size = 10
  }

  domain_endpoint_options {
    enforce_https       = true
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }

  encrypt_at_rest {
    enabled = true
  }

  node_to_node_encryption {
    enabled = true
  }

  tags = {
    Environment = "production"
  }
}

output "domain_endpoint" {
  description = "The HTTPS endpoint for the OpenSearch domain"
  value       = aws_opensearch_domain.example.endpoint
}

output "domain_arn" {
  description = "The ARN of the OpenSearch domain"
  value       = aws_opensearch_domain.example.arn
}

To update an existing domain, add or modify the domain_endpoint_options block:

domain_endpoint_options {
  enforce_https       = true
  tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
}

Verification

After applying the changes, verify HTTPS is enforced:

1. In the AWS Console, navigate to your OpenSearch domain
2. Under the General information tab, check that Require HTTPS shows Yes
3. Verify the TLS security policy shows your selected policy (e.g., Policy-Min-TLS-1-2-2019-07)

CLI verification

aws opensearch describe-domain \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --query "DomainStatus.DomainEndpointOptions.{EnforceHTTPS:EnforceHTTPS,TLSPolicy:TLSSecurityPolicy}"

Expected output:

{
    "EnforceHTTPS": true,
    "TLSPolicy": "Policy-Min-TLS-1-2-2019-07"
}

You can also test by attempting an HTTP connection (should fail):

curl -v http://<domain-endpoint>/_cluster/health

And verifying HTTPS works:

curl -v https://<domain-endpoint>/_cluster/health

Additional Resources

• Amazon OpenSearch Service Domain Configuration
• Security in Amazon OpenSearch Service
• AWS::OpenSearchService::Domain (CloudFormation)
• aws_opensearch_domain (Terraform)

Notes

• Update time: Enabling HTTPS enforcement triggers a domain update that can take 15-30 minutes. During this time, the domain remains available but configuration changes are locked.
• Client updates required: After enabling HTTPS enforcement, all clients connecting to the domain must use HTTPS URLs. Update any applications, scripts, or integrations that connect via HTTP.
• TLS policy selection: Choose Policy-Min-TLS-1-2-2019-07 or Policy-Min-TLS-1-2-PFS-2023-10 for best security. Only use Policy-Min-TLS-1-0-2019-07 if you have legacy clients that cannot support TLS 1.2+.
• Additional security: Consider enabling node-to-node encryption and encryption at rest for comprehensive data protection.