Elasticsearch domain isn’t encrypted at rest.
You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.
Impact
Data will be readable if compromised
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Enable ElasticSearch domain encryption
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Resources:
GoodExample:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: 'test'
ElasticsearchVersion: '7.10'
EncryptionAtRestOptions:
Enabled: true
KmsKeyId: alias/kmskey
ElasticsearchClusterConfig:
DedicatedMasterEnabled: true
InstanceCount: '2'
ZoneAwarenessEnabled: true
InstanceType: 'm3.medium.elasticsearch'
DedicatedMasterType: 'm3.medium.elasticsearch'
DedicatedMasterCount: '3'
EBSOptions:
EBSEnabled: true
Iops: '0'
VolumeSize: '20'
VolumeType: 'gp2'
|
Enable ElasticSearch domain encryption
1
2
3
4
5
6
7
8
|
resource "aws_elasticsearch_domain" "good_example" {
domain_name = "domain-foo"
encrypt_at_rest {
enabled = true
}
}
|
Links