Ensure AWS Elasticsearch has node-to-node encryption enabled
Error: AWS Elasticsearch does not have node-to-node encryption enabled
Bridgecrew Policy ID: BC_AWS_ELASTICSEARCH_5
Checkov Check ID: CKV_AWS_6
AWS Elasticsearch does not have node-to-node encryption enabled
The AWS Elasticsearch Service makes it possible to host sensitive workloads with node-to-node encryption by using Transport Layer Security (TLS) for all communications between instances in a cluster.
Using node-to-node encryption ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS, remains encrypted in-flight while it is being distributed and replicated between the nodes.
Fix - Runtime
To enable the feature, you must create another domain and migrate your data.
Using the AWS Console, follow these steps:
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Navigate to the Analytics section, select Elasticsearch Service.
- To enable node-to-node encryption when you configure a new cluster, select Node-to-node encryption.
Fix - Buildtime
Resources: ElasticsearchDomain: Type: AWS::Elasticsearch::Domain Properties: ... NodeToNodeEncryptionOptions: + Enabled: True
Updated 6 months ago