Encryption of data at rest is a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the domain's: indices, logs, swap files, all data in the application directory, and automated snapshots.
We recommend you implement encryption at rest in order to protect a data store containing sensitive information from unauthorized access, and fulfill compliance requirements.
By default, domains do not encrypt data at rest, and you cannot configure existing domains to use EncryptionAtRest.
To enable EncryptionAtRest, you must create a new domain and migrate Elasticsearch to that domain. You will also need, at minimum, read-only permissions to AWS KMS.
To create a new domain sign in to your AWS Console and select the Elasticsearch service (under Analytics), follow these steps:
- Select Create a new domain.
- Change the default Encryption setting to enabled.
- Continue configuring your cluster.
Resources: ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: ... EncryptionAtRestOptions: + Enabled: True
Updated about 2 months ago