Elasticsearch domain uses plaintext traffic for node to node communication.
Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private.
Impact
In transit data between nodes could be read if intercepted
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable encrypted node to node communication
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Resources:
GoodExample:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: 'test'
ElasticsearchVersion: '7.10'
EncryptionAtRestOptions:
Enabled: true
KmsKeyId: alias/kmskey
ElasticsearchClusterConfig:
DedicatedMasterEnabled: true
InstanceCount: '2'
ZoneAwarenessEnabled: true
InstanceType: 'm3.medium.elasticsearch'
DedicatedMasterType: 'm3.medium.elasticsearch'
DedicatedMasterCount: '3'
EBSOptions:
EBSEnabled: true
Iops: '0'
VolumeSize: '20'
VolumeType: 'gp2'
NodeToNodeEncryptionOptions:
Enabled: true
|
Enable encrypted node to node communication
1
2
3
4
5
6
7
8
|
resource "aws_elasticsearch_domain" "good_example" {
domain_name = "domain-foo"
node_to_node_encryption {
enabled = true
}
}
|
Links