Ensure AWS Elasticsearch domain encryption for data at rest is enabled

Error: AWS Elasticsearch domain encryption for data at rest is disabled

Bridgecrew Policy ID: BC_AWS_ELASTICSEARCH_3
Checkov Check ID: CKV_AWS_5
Severity: HIGH

AWS Elasticsearch domain encryption for data at rest is disabled

Description

Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the domain's: indices, logs, swap files, all data in the application directory, and automated snapshots.

We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements.

Fix - Runtime

Procedure

By default, domains do not encrypt data at rest, and you cannot configure existing domains to use EncryptionAtRest.

To enable EncryptionAtRest, you must create a new domain and migrate Elasticsearch to that domain. You will also need, at minimum, read-only permissions to AWS KMS.

To create a new domain sign in to your AWS Console and select the Elasticsearch service (under Analytics), follow these steps:

  1. Select Create a new domain.
  2. Change the default Encryption setting to enabled.
  3. Continue configuring your cluster.

Fix - Builtime

CloudFormation

Resource: AWS::Elasticsearch::Domain
Argument: Properties.EncryptionAtRestOptions.Enabled

Resources:
  ElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      ...
      EncryptionAtRestOptions:
+       Enabled: True

Did this page help you?