Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: Connections to Elasticsearch domains should be encrypted using TLS 1.2

Description

This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.es_domain_encrypted_using_tls_1_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.es_domain_encrypted_using_tls_1_2 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then 'ok'
    else 'alarm'
  end status,
  case
    when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then title || ' encrypted using TLS 1.2.'
    else title || ' not encrypted using TLS 1.2.'
  end as reason
  
  , region, account_id
from
  aws_elasticsearch_domain;

Tags

category = Compliance
nist_csf_v2 = true
plugin = aws
service = AWS/ES