Skip to main content

AWS Elasticsearch domain endpoints should not use a deprecated versionof SSL/TLS



Amazon Elasticsearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis.

Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attacks. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.

Allowing such policies can allow attackers to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.


Potential data exposureVisible in logsUser interaction requiredPrivileges required

Known vulnerabilities could be exploited with man-in-the-middle attacks and lead to data and credential leakage.

Remediation guidelines#

Choose TLS 1.2 or higher as the TLS security policy for the ElasticSearch domain endpoint configuration.