Information disclosure due to outdated TLS policy on AWS Elasticsearch

Medium Risk information-disclosure
awselasticsearchtlsencryptiontransport-securityweak-ciphersdowngrade-attack

What it is

AWS Elasticsearch domains configured with weak TLS security policies allow legacy TLS versions (1.0/1.1) and insecure cipher suites, making connections vulnerable to downgrade attacks, man-in-the-middle attacks, and eavesdropping. This vulnerability enables attackers to intercept or modify data in transit between clients and the Elasticsearch cluster, compromising the confidentiality and integrity of search data and administrative communications.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

AWS Elasticsearch domain_endpoint_options not configured with a minimum TLS 1.2 security policy. The domain either uses the default policy (which may allow TLS 1.0/1.1) or has an explicitly weak policy like Policy-Min-TLS-1-0-2019-07. Legacy TLS versions 1.0 and 1.1 are vulnerable to attacks like POODLE, BEAST, and CRIME that exploit weak cipher suites and protocol flaws.

Root causes

Missing TLS 1.2 Minimum Policy Configuration

AWS Elasticsearch domain_endpoint_options not configured with a minimum TLS 1.2 security policy. The domain either uses the default policy (which may allow TLS 1.0/1.1) or has an explicitly weak policy like Policy-Min-TLS-1-0-2019-07. Legacy TLS versions 1.0 and 1.1 are vulnerable to attacks like POODLE, BEAST, and CRIME that exploit weak cipher suites and protocol flaws.

Default TLS Policy Allowing Legacy Protocols

Using AWS Elasticsearch default TLS security policy without explicit configuration. When tls_security_policy is not specified in Terraform or CloudFormation templates, the domain may default to a policy that permits TLS 1.0 and 1.1 connections alongside insecure cipher suites, exposing data in transit to downgrade attacks and cryptographic weaknesses.

Missing HTTPS Enforcement Configuration

The enforce_https parameter missing or set to false in domain_endpoint_options configuration. This allows clients to connect to the Elasticsearch cluster over unencrypted HTTP (port 9200), transmitting search queries, index data, and administrative commands in plaintext where they can be intercepted or modified by network attackers.

Unspecified TLS Security Policy in Terraform

Terraform aws_elasticsearch_domain resource deployed without the tls_security_policy attribute in the domain_endpoint_options block. Infrastructure-as-code templates that omit explicit TLS configuration inherit cloud provider defaults that may not meet organizational security standards, allowing weak cryptographic protocols to persist across environment deployments.

CloudFormation Missing Modern TLS Enforcement

CloudFormation AWS::Elasticsearch::Domain resource missing DomainEndpointOptions property or having incomplete TLS configuration. Templates that don't specify TLSSecurityPolicy and EnforceHTTPS create domains vulnerable to legacy protocol attacks, and this misconfiguration gets replicated across all stack deployments and regions where the template is used.

Inadequate Compliance Policy Requirements

Organizational security and compliance policies lack specific requirements for minimum TLS versions and cipher suite strength on data store services. Without explicit standards mandating TLS 1.2+ for Elasticsearch and similar services, development teams may unknowingly deploy domains with insecure transport layer configurations that violate PCI DSS, HIPAA, or other regulatory frameworks.

Fixes

1

Enforce TLS 1.2 Minimum Policy

Configure domain_endpoint_options block in Terraform with tls_security_policy = "Policy-Min-TLS-1-2-2019-07" or the newer Policy-Min-TLS-1-2-PFS-2023-10 which provides perfect forward secrecy. In CloudFormation, set DomainEndpointOptions.TLSSecurityPolicy to the same value. This eliminates all vulnerabilities associated with TLS 1.0 and 1.1 (POODLE, BEAST, CRIME) and removes support for weak cipher suites like those using RC4 or 3DES, ensuring only modern cryptographic standards protect data in transit.

2

Enable HTTPS Enforcement

Set enforce_https = true in the domain_endpoint_options block (Terraform) or DomainEndpointOptions.EnforceHTTPS = true (CloudFormation) to prevent any plaintext HTTP connections to the Elasticsearch endpoint. This configuration ensures all client connections, API calls, and administrative operations are encrypted in transit using TLS, preventing network eavesdropping and man-in-the-middle attacks on search queries and index data.

3

Configure Custom Domain with ACM Certificates

Enable custom_endpoint_enabled = true and provide a custom domain name along with a custom_endpoint_certificate_arn referencing an AWS Certificate Manager (ACM) certificate. Deploy the ACM certificate with proper domain validation and automatic renewal enabled. Custom domains provide better control over TLS configuration, allow for easier certificate rotation, enable branded endpoints, and support more granular DNS-based access controls compared to the default AWS-provided Elasticsearch endpoint.

4

Implement Client-Side TLS Validation

Configure all Elasticsearch clients (application code, log shippers, monitoring tools) to explicitly require TLS 1.2 or higher and validate server certificates against trusted certificate authorities. Set client connection parameters like ssl.verification_mode=full in Logstash, verify_certs=True in Python elasticsearch library, or equivalent settings in other client libraries. This defense-in-depth approach ensures that even if server configuration is weakened, clients will refuse to connect over insecure channels.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure due to outdated tls policy on aws elasticsearch and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities