Ensure AWS Elasticsearch has node-to-node encryption enabled

Error: AWS Elasticsearch does not have node-to-node encryption enabled

Bridgecrew Policy ID: BC_AWS_ELASTICSEARCH_5
Checkov Check ID: CKV_AWS_6
Severity: MEDIUM

AWS Elasticsearch does not have node-to-node encryption enabled

Description

The AWS Elasticsearch Service makes it possible to host sensitive workloads with node-to-node encryption by using Transport Layer Security (TLS) for all communications between instances in a cluster.

Using node-to-node encryption ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS, remains encrypted in-flight while it is being distributed and replicated between the nodes.

Fix - Runtime

AWS Console

To enable the feature, you must create another domain and migrate your data.
Using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Navigate to the Analytics section, select Elasticsearch Service.
  3. To enable node-to-node encryption when you configure a new cluster, select Node-to-node encryption.

Fix - Buildtime

CloudFormation

Resources: AWS::Elasticsearch::Domain
Argument: Properties.NodeToNodeEncryptionOptions.Enabled

Resources:
  ElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      ...
      NodeToNodeEncryptionOptions:
+       Enabled: True