Amazon OpenSSearch Service recently introduced a new policy of transport layer (TLS) min-TLS-1-PFS-2023-10 policy, which supports the latest TLS 1.3 and TLS 1.2 protocol with perfect additional secrets (PFS) CIPPER SUB. This new policy improves security and increases the performance of OpenSearch.
The OpenSSearch service previously offered predefined TLS principles to secure the endpoints of the domain, allowing your End-to-end to be encrypted by https. However, these police were limited to old TLS versions such as TLS 1.0 and TLS 1.2, without any PFS offers.
In this post, we discuss the benefits of this new Police and how to enable it using the AWS (AWS Cli) command line.
Solutions
The new TLS security policy provides upgraded security for OpenSSearch Domains by TLS 1.3 and PFS. This allows you to increase the confidentiality and integrity of operations between customers and your OpenSearch service domains and provides a safer and more efficient communication channel for your sensitive data. TLS 1.3 is the latest version of the Transport Layer to prevent certain attacks focused on older TLS ciphers and EFVIDE improvement, such as 0-RSU resups for faster connection time. TLS 1.3 can create a secure connection faster than TLS 1.2, resulting in advice on latency for your applications. PFS is an important improving security that ensures that past communication remains safe, even if the long -term secret key of the server is at risk in the future. By using a unique, randomly generated session key for each connection, the PFS adds another layer of protection against potential interception or decrypt encrypted data. Compared to the older TLS 1.2 policy, the Min-TLS-1-2-2-2019-07 policy offers TLS 1.2 with PFS stronger security by protecting against potential key compromises, while still holding compatibility with older customers who do not support TLS 1.3.
Prerequisites
You want to start using this new police, you need the following assumptions:
Allow a new TLS policy for Opensearch service
You want to create new domains with a new TLS policy, add --domain-endpoint-options '{"TLSSecurityPolicy": "Policy-Min-TLS-1-2-PFS-2023-10"}' To the CLA CLA CLAMAIN AWS:
For existing domains, you can update the domain configuration to use new TLS policies by running AWS-Config AWS Clund Update Domain:
Customer considerations
Most modern customers and libraries should support TLS 1.3 and TLS 1.2 with PFS outside the box. Once, if you support or concern about compatibility, you may need to update your client libraries or configurations to allow you to support the new TLS policy.
Conclusion
New policy-Min-TLS-2-2-PFS-2023-10 policy for security policy to improve security and performance based on OpenSearch based on offer. By supporting TLS 1.3 and TLS 1.2 with PFS, this policy helps protect your data in transit and provides faster connection time. We recommend that you start using this new TLS security policy to improve posture and performance when connected to the OpenSearch Service domains. If you want to start, follow the steps listed in this post and allow a new policy in your existing or new domains.
More information about the available TLS and configuration options can be found to ensure infrastructure in Amazon OpenSsearch.
In Amazon, the security of our highest priority is and we are constantly working to strengthen the security and performance of our services. Stay tuned for more exciting updates!
About the authors
Kumar Shaubham He is an engineer for software development at Amazon OpenSearch Service, specializing in a security domain. It is passionate about the development of robust security features to increase customer and infrastructure data protection.
Alva Sachet He is an administrator of software development at Amazon OpenSearch Service, oversees the initiatives of infrastructure security and initiatives for his own package. His team’s innovation contributes to increased security and flexibility of the deployment of Amazon OpenSSearch Service deployment.
Naveen negi It is a senior technological product for Amazon Opensearch Service. It works closely with engineering teams and customers to form the future of the OpenSearch service and makes sure it meets the evolving security and performance needs.