Ensure AWS all data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)

Error: Not all AWS data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)

Bridgecrew Policy ID: BC_AWS_GENERAL_155
Checkov Check ID: CKV_AWS_247
Severity: LOW

Note all AWS data stored in the Elasticsearch domain is encrypted using a Customer Managed Key (CMK)

Description

This policy identifies Elasticsearch domain which are encrypted with default KMS keys and not with Keys managed by Customer. It is a best practice to use customer managed KMS Keys to encrypt your Elasticsearch domain data. It gives you full control over the encrypted data.

Fix - Runtime

TBD

Fix - Buildtime

Terraform

resource "aws_elasticsearch_domain" "pass" {
  domain_name = "example"

  cluster_config {
    instance_type = "r5.large.elasticsearch"
  }

  encrypt_at_rest {
    kms_key_id = aws_kms_key.example.arn
  }
}