2021-11-08 10:49:47 +00:00
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
2021-11-08 16:31:26 +01:00
== Noncompliant Code Example
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
----
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
domain_endpoint_options {
enforce_https = false # Sensitive
}
node_to_node_encryption {
enabled = false # Sensitive
}
----
2021-11-08 10:49:47 +00:00
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers:
----
resource "aws_msk_cluster" "sensitive_data_cluster" {
encryption_info {
encryption_in_transit {
client_broker = "TLS_PLAINTEXT" # Sensitive
in_cluster = false # Sensitive
}
}
}
----
== Compliant Solution
2021-11-08 16:31:26 +01:00
For https://docs.aws.amazon.com/opensearch-service/index.html[Amazon OpenSearch domains]:
----
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
domain_endpoint_options {
enforce_https = true
}
node_to_node_encryption {
enabled = true
}
----
2021-11-08 10:49:47 +00:00
For https://aws.amazon.com/msk/[Amazon MSK] communications between clients and brokers, data in transit is encrypted by default, allowing you to omit writing the `encryption_in_transit` configuration. However, if you need to configure it explicitly, this configuration is compliant:
----
resource "aws_msk_cluster" "sensitive_data_cluster" {
encryption_info {
encryption_in_transit {
client_broker = "TLS"
in_cluster = true
}
}
}
----
include::../see.adoc[]
2021-11-08 16:31:26 +01:00
2021-11-08 10:49:47 +00:00
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
2021-11-08 16:31:26 +01:00
include::highlighting.adoc[]
2021-11-08 10:49:47 +00:00
endif::env-github,rspecator-view[]
