Skip to content

Ensure AWS Elasticsearch Endpoint Using TLS

Description

Configure your domains to require that all traffic be submitted over HTTPS so that you can ensure that communications between your clients and your domain are encrypted. You can also configure the minimum required TLS version to accept.

This option is a useful additional security control to ensure your clients are not misconfigured.

Rationale

Requiring HTTPS for all communication to an Elasticsearch domain decreases the chance that data could be compromised from misconfigured clients or compromises on client machines.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if TLS at endpoint is enabled
 */
function validate(databaseSettings) {

    const success =
        databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.domainEndpointOptions &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.domainEndpointOptions.enforceHttps

    return {
        success,
    }
}

// invoke
validate(databaseSettings);