ES.8: ES should use latest TLS policy

What does AWS Security Hub ES.8 check?

ES.8 checks DomainEndpointOptions.TLSSecurityPolicy on each domain and fails if it isn't pinned to the latest supported policy (currently Policy-Min-TLS-1-2-PFS-2023-10) or if HTTPS isn't enforced at all. The policy decides which TLS versions and cipher suites the HTTPS endpoint will negotiate.

Why does ES.8 matter?

As long as the endpoint advertises a policy that still accepts TLS 1.0/1.1, an attacker on the network path can attempt to force a connection down to the weakest mutually supported protocol and target known weaknesses in those older ciphers. Pinning the latest policy stops the negotiation slipping backwards. The control maps to NIST 800-53 SC-8/SC-13/SC-23 and the data-in-transit requirements of PCI DSS.

How do I fix ES.8?

1. Enforce HTTPS on the domain endpoint.
2. Set TLSSecurityPolicy to the latest supported policy (Policy-Min-TLS-1-2-PFS-2023-10).
3. Confirm clients can negotiate TLS 1.2+ before pinning the stricter policy.
4. Default new domains to the latest TLS policy in your templates.

# Raise the search-domain TLS policy and keep HTTPS enforced (no downtime, no re-index).
aws opensearch update-domain-config \
  --domain-name logs-prod \
  --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10"}'

# Pin an API Gateway custom domain to a recommended TLS security policy.
aws apigateway update-domain-name \
  --domain-name api.example.com \
  --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2

# Confirm the live policy once the domain settles.
aws opensearch describe-domain-config --domain-name logs-prod \
  --query 'DomainConfig.DomainEndpointOptions.Options.TLSSecurityPolicy' \
  --output text