Enable Domain Encryption | Vulnerability Database

Elasticsearch domain isn’t encrypted at rest.

You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Enable ElasticSearch domain encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


Resources:
  GoodExample:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: test
      EBSOptions:
        EBSEnabled: true
        Iops: "0"
        VolumeSize: "20"
        VolumeType: gp2
      ElasticsearchClusterConfig:
        DedicatedMasterCount: "3"
        DedicatedMasterEnabled: true
        DedicatedMasterType: m3.medium.elasticsearch
        InstanceCount: "2"
        InstanceType: m3.medium.elasticsearch
        ZoneAwarenessEnabled: true
      ElasticsearchVersion: "7.10"
      EncryptionAtRestOptions:
        Enabled: true
        KmsKeyId: alias/kmskey

Enable ElasticSearch domain encryption

1
2
3
4
5
6
7


resource "aws_elasticsearch_domain" "good_example" {
  domain_name = "domain-foo"

  encrypt_at_rest {
    enabled = true
  }
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#encrypt_at_rest