For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-dmd.md. A documentation index is available at /llms.txt.

OpenSearch domain connections should be encrypted using the latest TLS security policy

opensearch

Description

This control checks whether an Amazon OpenSearch Service domain endpoint is configured to use a secure TLS security policy. Allowed policies are Policy-Min-TLS-1-2-PFS-2023-10 and Policy-Min-TLS-1-2-RFC9151-FIPS-2024-08. The control fails if the endpoint is not using an allowed policy or if HTTPS is not enabled. Enforcing a current TLS 1.2 policy helps secure data in transit by preventing eavesdropping and manipulation through man-in-the-middle attacks.

Remediation

To configure your Amazon OpenSearch Service domain endpoint to use a compliant TLS security policy, refer to the Requiring HTTPS for Amazon OpenSearch Service Domains section of the Amazon OpenSearch Service Developer Guide.