Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Opensearch

Opensearch.8: OpenSearch should use latest TLS policy

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Opensearch.8 check?

Opensearch.8 fails when a domain's endpoint is not using the latest TLS security policy, currently Policy-Min-TLS-1-2-PFS-2023-10. This is separate from simply having HTTPS enabled — it governs which protocol versions and cipher suites the endpoint will negotiate.

Why does Opensearch.8 matter?

An endpoint that still offers old protocols or weak ciphers invites downgrade attacks like POODLE, FREAK, and Logjam, where a man-in-the-middle pushes both sides onto the weak option even when a strong one is available. The latest policy removes those choices entirely and requires TLS 1.2 with perfect forward secrecy.

How do I fix Opensearch.8?

  1. Audit every domain in the region for its current TLSSecurityPolicy.
  2. Check for very old clients that cannot do TLS 1.2 before changing anything.
  3. Move each domain to Policy-Min-TLS-1-2-PFS-2023-10 with a single update-domain-config call.
  4. Make the newest policy the default for every domain you create.

Remediation script · bash

# Raise the search-domain TLS policy and keep HTTPS enforced (no downtime, no re-index).
aws opensearch update-domain-config \
  --domain-name logs-prod \
  --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10"}'

# Pin an API Gateway custom domain to a recommended TLS security policy.
aws apigateway update-domain-name \
  --domain-name api.example.com \
  --patch-operations op=replace,path=/securityPolicy,value=TLS_1_2

# Confirm the live policy once the domain settles.
aws opensearch describe-domain-config --domain-name logs-prod \
  --query 'DomainConfig.DomainEndpointOptions.Options.TLSSecurityPolicy' \
  --output text

Full walkthrough (console steps, edge cases and verification) in the lesson Enforce TLS on APIs and search domains.

Is Opensearch.8 a false positive?

Because a domain can have HTTPS enforced and still fail this control, teams often think the finding is wrong — but 'HTTPS on' and 'latest TLS policy' are two genuinely different checks.

Full lesson Enforce TLS on APIs and search domains Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Opensearch controls ↗ Check your own account for Opensearch.8 →
Part of the learning path Encrypt everything

More Opensearch controls

  • Opensearch.1 OpenSearch domains should encrypt at rest
  • Opensearch.2 An OpenSearch domain is reachable from the public internet
  • Opensearch.3 OpenSearch should encrypt node-to-node traffic
  • Opensearch.4 OpenSearch error logging to CW should be enabled
  • Opensearch.5 OpenSearch domains should have audit logging
  • Opensearch.6 OpenSearch domains should have >= 3 data nodes
  • Opensearch.7 OpenSearch has no fine-grained access control
  • Opensearch.10 OpenSearch should have latest software update