Skip to content

AWS Elasticsearch domain encryption for data at rest is disabled

Description

Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the domain's: indices, logs, swap files, all data in the application directory, and automated snapshots.

We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements.

Fix - Runtime

Procedure

By default, domains do not encrypt data at rest, and you cannot configure existing domains to use EncryptionAtRest.

To enable EncryptionAtRest, you must create a new domain and migrate Elasticsearch to that domain. You will also need, at minimum, read-only permissions to AWS KMS.

To create a new domain sign in to your AWS Console and select the Elasticsearch service (under Analytics), follow these steps:

  1. Select Create a new domain.
  2. Change the default Encryption setting to enabled.
  3. Continue configuring your cluster.

Fix - Buildtime

CloudFormation

Resource: AWS::Elasticsearch::Domain
Argument: Properties.EncryptionAtRestOptions.Enabled

Resources:
  ElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      ...
      EncryptionAtRestOptions:
+       Enabled: True