AWS034 - Elasticsearch domain endpoint is using outdated TLS policy.

Explanation

You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.

Insecure Example

The following example will fail the AWS034 check.

resource "aws_elasticsearch_domain" "bad_example" {
  domain_name = "domain-foo"

  domain_endpoint_options {
    enforce_https = true
    tls_security_policy = "Policy-Min-TLS-1-0-2019-07"
  }
}

Secure Example

The following example will pass the AWS034 check.

resource "aws_elasticsearch_domain" "good_example" {
  domain_name = "domain-foo"

  domain_endpoint_options {
    enforce_https = true
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }
}