Ensure Elasticsearch Domain enforces HTTPS

AWS Elasticsearch makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud.Amazon ES allows you to configure your domains to require that all traffic be submitted over HTTPS. This ensures communications between your clients and your domain are encrypted.This option is a useful additional security control to ensure your clients are not misconfigured.

Risk Level: High
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.CFT.CRY.19
Covered by Spectral: Yes
Category: Analytics


AWS_Elasticsearch_Domain should have DomainEndpointOptions.EnforceHTTPS=true


From CFT
Supply AWS::Elasticsearch::Domain::DomainEndpointOptions::EnforceHTTPS with value 'true'
See below example;

Type: AWS::Elasticsearch::Domain
EnforceHTTPS: true


  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticsearch-domain-domainendpointoptions.html#cfn-elasticsearch-domain-domainendpointoptions-enforcehttps

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CloudFormation ruleset