I have a policy on an S3 bucket that will reject anything not using TLS. And my cluster snapshots are making it to S3 so obviously transport from my EC2 box (where Curator is running) to S3 is encrypted, which is great. What I'm wondering though is exactly how Curator/Elasticsearch is making TLS requests to S3? I have done a fair amount of looking and can't quuiiiiiite put the pieces together.
- My Amazon Root CA certs are in no cert bundle that is obviously referenced by anything
- My openssl.cnf file does not reference any directories that contain a cert bundle with the Amazon Root CA certs
- Does Curator use Boto and Boto has some hardcoded paths in which to check for cert bundles? Or does Curator call Elasticsearch or the repository-s3 plugin which in turn has some code that has hardcoded paths to check for cert bundles? I ask this because I see that there are a few python libraries like requests, etc. on my boxes which have some hardcoded file paths in which to check for CA cert bundles...but none of these libraries contain paths that point to my cert bundles which contain the Amazon Root CA certs. And yet asymmetric encryption initiated by Curator/Elasticsearch and between EC2 and S3 is occurring...
I have also searched this forum and the goog and haven't found anything super relevant.
Any insight would be greatly appreciated,