HIGH
Source
Trivy
ID
AVD-AWS-0048

Elasticsearch domain isn’t encrypted at rest.

You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.

Impact

Data will be readable if compromised

Follow the appropriate remediation steps below to resolve the issue.

Enable ElasticSearch domain encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: 'test'
      ElasticsearchVersion: '7.10'
      EncryptionAtRestOptions:
        Enabled: true
        KmsKeyId: alias/kmskey
      ElasticsearchClusterConfig:
        DedicatedMasterEnabled: true
        InstanceCount: '2'
        ZoneAwarenessEnabled: true
        InstanceType: 'm3.medium.elasticsearch'
        DedicatedMasterType: 'm3.medium.elasticsearch'
        DedicatedMasterCount: '3'
      EBSOptions:
        EBSEnabled: true
        Iops: '0'
        VolumeSize: '20'
        VolumeType: 'gp2'

Enable ElasticSearch domain encryption

1
2
3
4
5
6
7
resource "aws_elasticsearch_domain" "good_example" {
  domain_name = "domain-foo"
  
  encrypt_at_rest {
    enabled = true
  }
}