amplify-cli icon indicating copy to clipboard operation
amplify-cli copied to clipboard
verified publisher icon aws-amplify

Amazon OpenSearch Service end of support for TLS 1.0 and 1.1 protocols

Open hisham opened this issue 1 month ago • 1 comments

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

22

Amplify CLI Version

14.2.2

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No. N/A

Describe the bug

Got an email from AWS today saying the TLS policy of the OpenSearch domain setup by amplify cli @searchable directive will be no longer supported as of April 2026:

We have identified that your account is currently using TLS policy "Policy-Min-TLS-1-0-2019-07" that supports TLS versions 1.0 and 1.1 on your OpenSearch Service.

To ensure continuous access to your OpenSearch Service domain, you will need to update your TLS policy to one of the following before this date:

1. "Policy-Min-TLS-1-2-2019-07"
2. "Policy-Min-TLS-1-2-PFS-2023-10"

This policy is set by amplify cli in the generated file at amplify/backend/api/MyGraphQLAPI/build/stacks/SearchableStack.json

Expected behavior

amplify cli should update to use the latest TLS policy.

Reproduction steps

Use seachable directive and examine the generated TLS policy.

Project Identifier

3def1a2bd59d61900f734d59f169a578

Log output

N/A

Additional information

A workaround suggested by AI (not tested) is to override the TLS policy via a override.ts:

  // Add TLS policy override
  resources.opensearch.OpenSearchDomain.domainEndpointOptions = {
    ...resources.opensearch.OpenSearchDomain.domainEndpointOptions,
    tlsSecurityPolicy: 'Policy-Min-TLS-1-2-2019-07', // or 'Policy-Min-TLS-1-0-2019-07'
  };

Before submitting, please confirm:

  • [x] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • [x] I have removed any sensitive information from my code snippets and submission.

hisham avatar Nov 07 '25 22:11 hisham

Thank you for bringing this up to our attention.

Problem

Amplify CLI's @searchable directive generates OpenSearch domains with TLS policy Policy-Min-TLS-1-0-2019-07, which supports deprecated TLS 1.0/1.1. AWS is ending support for these protocols in April 2026.

Impact

  • Existing OpenSearch domains will lose access after April 2026
  • Security vulnerability using outdated TLS versions

The issue appears to be in create-searchable-domain.ts

https://github.com/aws-amplify/amplify-category-api/blob/857b38379d770faa29b8af41c91a540db1ec4ffd/packages/amplify-graphql-searchable-transformer/src/cdk/create-searchable-domain.ts#L10

The Problem: The createSearchableDomain function creates an OpenSearch/Elasticsearch domain but does NOT explicitly set the TLS security policy. When no policy is specified, AWS CloudFormation defaults to Policy-Min-TLS-1-0-2019-07 (the deprecated one).

I guess we need to add

const domain = new Domain(stack, OpenSearchDomainLogicalID, {
  version: { version: '7.10' } as ElasticsearchVersion,
  enforceHttps: true,
  // ADD THIS:
  tlsSecurityPolicy: TLSSecurityPolicy.TLS_1_2,  // or the string 'Policy-Min-TLS-1-2-2019-07'
  ebs: {
    enabled: true,
    volumeType: EbsDeviceVolumeType.GP2,
    volumeSize: parameterMap.get(OpenSearchEBSVolumeGB)?.valueAsNumber,
  },
  // ... rest of config
});

This is the exact code that generates the CloudFormation template with the outdated TLS 1.0 policy.

Making this p1 feature request.

pahud avatar Nov 17 '25 20:11 pahud