aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard
verified publisher icon aws

❗ NOTICE (opensearch): As of CDK release v2.201.0, OpenSearch domain TLSSecurityPolicy defaults to TLS 1.2

Open vishaalmehrishi opened this issue 6 months ago • 1 comments

Status

In-Progress

What is the issue?

This is a retroactive notice issue to inform customers about a change which was released as part of CDK v2.201.0.

As of CDK release v2.201.0, the default TLSSecurityPolicy for OpenSearch domains is Policy-Min-TLS-1-2-2019-07 (i.e. TLS 1.2). The previous default was Policy-Min-TLS-1-0-2019-07 (TLS 1.0).

This change is in line with OpenSearch's minimum required TLS version:

Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.

Error message

N/A

What is the impact?

The previous default (TLS 1.0) was not compliant with OpenSearch's minimum TLS requirement.

Workaround

Customers who would prefer to continue using TLS 1.0 should explicitly specify this when creating/updating the OpenSearch domain construct.

Who is affected?

As a consequence of this change, existing customers who do not explicitly provide a TLS security policy will see their OpenSearch domain TLS security policy be automatically upgraded to Policy-Min-TLS-1-2-2019-07.

Expected behaviour:

  • If the TLS security policy is provided, this will be used (no change).
  • If the TLS security policy is not provided, the OpenSearch domain TLS security policy will be set to Policy-Min-TLS-1-2-2019-07.

How do I resolve this?

No action needed - this is a retroactively-created issue for a notice.

Related issues

https://github.com/aws/aws-cdk/issues/34658

vishaalmehrishi avatar Jun 17 '25 09:06 vishaalmehrishi

🙌

pahud avatar Jun 17 '25 15:06 pahud