Feature request: AWS OpenSearch TLS policy
rdegraaf-ncc3 opened this issue · comments
Is your feature request related to a problem? Please describe.
AWS OpenSearch Domains support several TLS termination policies. The default supports TLS 1.0, which is deprecated and should be disabled.
Describe the solution you'd like
Check that every OpenSearch Domain is using the strongest TLS termination policy available. At the moment, this is "Policy-Min-TLS-1-2-PFS-2023-10". One can check using the following AWS CLI command:
aws es describe-elasticsearch-domain-config --domain-name <DOMAIN>
See https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_DomainEndpointOptions.html for more information on TLS termination policies for AWS OpenSearch.
Describe alternatives you've considered
N/A
Additional context
There are also related settings for CloudSearch and Elastic Search. Those should be checked as well.