---
title: >-
  OpenSearch domain connections should be encrypted using the latest TLS
  security policy
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > OpenSearch domain connections should be
  encrypted using the latest TLS security policy
---

# OpenSearch domain connections should be encrypted using the latest TLS security policy
 
## Description{% #description %}

This control checks whether an Amazon OpenSearch Service domain endpoint is configured to use a secure TLS security policy. Allowed policies are `Policy-Min-TLS-1-2-PFS-2023-10` and `Policy-Min-TLS-1-2-RFC9151-FIPS-2024-08`. The control fails if the endpoint is not using an allowed policy or if HTTPS is not enabled. Enforcing a current TLS 1.2 policy helps secure data in transit by preventing eavesdropping and manipulation through man-in-the-middle attacks.

## Remediation{% #remediation %}

To configure your Amazon OpenSearch Service domain endpoint to use a compliant TLS security policy, refer to the [Requiring HTTPS for Amazon OpenSearch Service Domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/creating-domain.html#enforce-https) section of the Amazon OpenSearch Service Developer Guide.