> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# HTTPS Should Be Enforced OpenSearch Service Domains

### More Info:

This rule checks whether connections to Amazon OpenSearch domains are required to use HTTPS. Enforcing HTTPS helps enhance the security of data in transit by encrypting communication between clients and the OpenSearch domain. The rule is marked as non-compliant if the 'EnforceHTTPS' option is not set to 'true' or if it is set to 'true' and the 'TLSSecurityPolicy' is not set to a valid TLS policy.

### Risk Level

Medium

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To enforce HTTPS for OpenSearch Service domains in AWS, you can follow these steps using the AWS Management Console:

        1. **Navigate to the Amazon OpenSearch Service Console:**
           * Go to the AWS Management Console ([https://aws.amazon.com/console/](https://aws.amazon.com/console/)).
           * In the "Find Services" search bar, type "OpenSearch Service" and select it from the dropdown.

        2. **Select your OpenSearch domain:**
           * From the list of OpenSearch domains, select the domain for which you want to enforce HTTPS.

        3. **Update the domain configuration:**
           * In the domain dashboard, click on the "Modify domain" button.

        4. **Enable HTTPS:**
           * Scroll down to the "Node-to-node encryption" section.
           * Enable the "Require HTTPS between OpenSearch nodes" option.

        5. **Update the domain:**
           * Scroll to the bottom of the page and click on the "Submit" button to save your changes.

        6. **Monitor the domain status:**
           * Once the modification is submitted, monitor the domain status to ensure that the changes are successfully applied.

        By following these steps, you have successfully enforced HTTPS for your OpenSearch Service domain in AWS using the AWS Management Console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To enforce HTTPS for OpenSearch Service domains in AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI and run the following command to update the OpenSearch Service domain configuration to enforce HTTPS:

        ```bash theme={null}
        aws opensearch update-domain-config --domain-name your-domain-name --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=false,MasterUserOptions.MasterUserARN=arn:aws:iam::123456789012:user/admin,MasterUserOptions.MasterUserName=admin,MasterUserOptions.MasterUserPassword=yourpassword,RestApiEndpoint=HTTPS
        ```

        Replace `your-domain-name` with the name of your OpenSearch Service domain, `123456789012` with your AWS account ID, and `yourpassword` with the desired password for the master user.

        2. Wait for the configuration update to be completed. You can monitor the progress by running the following command:

        ```bash theme={null}
        aws opensearch describe-domain --domain-name your-domain-name
        ```

        3. Once the configuration update is completed, verify that HTTPS is enforced for the OpenSearch Service domain by accessing the domain endpoint using HTTPS.

        By following these steps, you can remediate the misconfiguration and enforce HTTPS for OpenSearch Service domains in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To enforce HTTPS for OpenSearch Service domains in AWS, you can use the AWS SDK for Python (Boto3) to update the domain configuration. Here are the step-by-step instructions to remediate this misconfiguration:

        1. Install Boto3:
           Ensure that you have Boto3 installed in your Python environment. You can install it using pip:
           ```
           pip install boto3
           ```

        2. Configure AWS Credentials:
           Make sure that your AWS credentials are properly configured on your system or provide the necessary IAM permissions to the AWS SDK for Python.

        3. Use the following Python script to enforce HTTPS for your OpenSearch domain:

        ```python theme={null}
        import boto3

        def update_opensearch_domain_config(domain_name):
            client = boto3.client('es')

            response = client.update_elasticsearch_domain_config(
                DomainName=domain_name,
                ElasticsearchClusterConfig={
                    'DedicatedMasterEnabled': False,
                    'InstanceCount': 1,
                    'ZoneAwarenessEnabled': False,
                    'InstanceType': 'm4.large.elasticsearch',
                },
                EBSOptions={
                    'EBSEnabled': True,
                    'VolumeSize': 10,
                    'VolumeType': 'gp2'
                },
                AccessPolicies="""{
                  "Version": "2012-10-17",
                  "Statement": [
                    {
                      "Effect": "Allow",
                      "Principal": {
                        "AWS": "*"
                      },
                      "Action": "es:*",
                      "Resource": "arn:aws:es:us-west-2:1234567890:domain/{}/*",
                      "Condition": {
                        "IpAddress": {
                          "aws:SourceIp": "XXX.XXX.XXX.XXX"
                        }
                      }
                    }
                  ]
                }""".format(domain_name),
                AdvancedOptions={
                    'rest.action.multi.allow_explicit_index': 'true'
                },
                AdvancedSecurityOptions={
                    'Enabled': True,
                    'InternalUserDatabaseEnabled': False,
                    'SAMLOptions': {
                        'Enabled': False
                    }
                },
                NodeToNodeEncryptionOptions={
                    'Enabled': True
                },
                DomainEndpointOptions={
                    'EnforceHTTPS': True
                }
            )

            print("Domain configuration updated successfully.")

        # Replace 'your-opensearch-domain-name' with your actual OpenSearch domain name
        update_opensearch_domain_config('your-opensearch-domain-name')
        ```

        4. Run the Python script:
           Save the above script in a Python file (e.g., `enforce_https_opensearch.py`) and run it in your terminal:
           ```
           python enforce_https_opensearch.py
           ```

        This script will update the configuration of your OpenSearch domain to enforce HTTPS. Ensure that you replace `'your-opensearch-domain-name'` with the actual name of your OpenSearch domain before running the script.

        Please note that this script is a basic example and may need to be adjusted based on your specific requirements and the current configuration of your OpenSearch domain.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>
