HIGH
Source
Trivy
ID
AVD-AWS-0043

Elasticsearch domain uses plaintext traffic for node to node communication.

Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private.

Impact

In transit data between nodes could be read if intercepted

Follow the appropriate remediation steps below to resolve the issue.

Enable encrypted node to node communication

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: 'test'
      ElasticsearchVersion: '7.10'
      EncryptionAtRestOptions:
        Enabled: true
        KmsKeyId: alias/kmskey
      ElasticsearchClusterConfig:
        DedicatedMasterEnabled: true
        InstanceCount: '2'
        ZoneAwarenessEnabled: true
        InstanceType: 'm3.medium.elasticsearch'
        DedicatedMasterType: 'm3.medium.elasticsearch'
        DedicatedMasterCount: '3'
      EBSOptions:
        EBSEnabled: true
        Iops: '0'
        VolumeSize: '20'
        VolumeType: 'gp2'
      NodeToNodeEncryptionOptions:
        Enabled: true

Enable encrypted node to node communication

1
2
3
4
5
6
7
resource "aws_elasticsearch_domain" "good_example" {
  domain_name = "domain-foo"
  
  node_to_node_encryption {
    enabled = true
  }
}