Ensure AWS Elasticsearch domains have EnforceHTTPS enabled

Error: AWS Elasticsearch domains do not have EnforceHTTPS enabled

Bridgecrew Policy ID: BC_AWS_ELASTICSEARCH_6
Checkov Check ID: CKV_AWS_83
Severity: MEDIUM

AWS Elasticsearch domains do not have EnforceHTTPS enabled


Amazon Elasticsearch Service (Amazon ES) allows you to build applications without setting up and maintaining your own search celuster on Amazon EC2. Amazon ES allows you to configure your domains to require that all traffic be submitted over HTTPS. This ensures communications between your clients and your domain are encrypted.

We recommend you configure the minimum required TLS version to accept. This option is a useful additional security control to ensure your clients are not misconfigured.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Elasticsearch console.
  3. Open a domain.
  4. Select Actions > Modify encryptions
  5. Select Require HTTPS for all traffic to the domain.
  6. Click Submit.

Fix - Buildtime


Resource: AWS::Elasticsearch::Domain
Argument: Properties.DomainEndpointOptions.EnforceHTTPS

    Type: 'AWS::Elasticsearch::Domain'
+       EnforceHTTPS: True