AWS Elasticsearch domain endpoints should not use a deprecated versionof SSL/TLS
- GG_ID: GG_IAC_0066
- Severity: HIGH
- Complexity: HIGH
- Categories: NETWORK
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: True
- Privileges required: False
Amazon Elasticsearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis.
Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attacks. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.
Allowing such policies can allow attackers to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.
Known vulnerabilities could be exploited with man-in-the-middle attacks and lead to data and credential leakage.
Choose TLS 1.2 or higher as the TLS security policy for the ElasticSearch domain endpoint configuration.