Enable At-Rest Encryption for Elasticsearch Domains
Ensures Elasticsearch domains have encryption at rest enabled to protect sensitive data from unauthorized access.
| Rule | Elasticsearch domains should have encryption at-rest enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
To comply with AWS Foundational Security Best Practices, Elasticsearch domains should have encryption at-rest enabled. This ensures that data stored in the Elasticsearch domain is encrypted while at rest, providing an additional layer of security.
Troubleshooting Steps:
If encryption at-rest is not enabled for an Elasticsearch domain, follow these troubleshooting steps:
- 1.Check the current configuration of the Elasticsearch domain to verify if encryption at-rest is enabled.
- 2.Enable encryption at-rest if it is not already configured.
- 3.Monitor the Elasticsearch domain to ensure that encryption at-rest is functioning properly.
Necessary Code:
To enable encryption at-rest for an Elasticsearch domain, you can use the AWS Command Line Interface (CLI) with the following command:
aws es update-elasticsearch-domain-config --domain-name your-domain-name --node-to-node-encryption-options "Enabled=true" "AtRestEncryptionOptions={Enabled=true}"
Step-by-Step Guide for Remediation:
- 1.Open your terminal or command prompt.
- 2.Run the AWS CLI command to update the Elasticsearch domain configuration with encryption at-rest enabled.
- 3.Replace
with the actual name of your Elasticsearch domain.your-domain-name - 4.Execute the command and wait for the configuration update to complete.
- 5.Verify that encryption at-rest is successfully enabled by checking the domain configuration.
- 6.Monitor the Elasticsearch domain to ensure proper functioning of encryption at-rest.
By following these steps, you can ensure that encryption at-rest is enabled for your Elasticsearch domain, meeting the AWS Foundational Security Best Practices.