- Knowledge Base
- Amazon Web Services
- Amazon Opensearch Service
- OpenSearch Domains Encrypted with KMS CMKs
Ensure that your Amazon OpenSearch domains are configured to use KMS Customer-Managed Keys (CMKs) instead of AWS managed-keys (default keys used by Amazon OpenSearch when there are no keys defined) in order to have a more granular control over your data encryption/decryption process.
This rule can help you with the following compliance standards:
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When you use your own Amazon KMS Customer-Managed Keys (CMKs) to protect OpenSearch data, you gain full control over who can use the keys to access your cluster data (including the system metadata and automated snapshots). The Amazon KMS service allows you to create, rotate, disable, and audit CMKs for your OpenSearch domains.
Audit
To determine the encryption status and configuration for your Amazon OpenSearch domains, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon OpenSearch Service console available at https://console.aws.amazon.com/aos/home.
03 In the main navigation panel, under Managed clusters, select Domains.
04 Click on the name (link) of the OpenSearch domain that you want to examine.
05 Select the Security configuration tab and check the Encryption at rest attribute value listed under Encryption. If Encryption at rest is set to No, encryption at rest is not enabled for the selected OpenSearch domain. If Encryption at rest is set to Yes, copy the AWS KMS key attribute value (i.e. KMS key ARN).
06 Navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms.
07 In the main navigation panel, choose Customer managed keys to list the Customer-Managed Keys (CMKs) available in the current AWS region.
08 Paste the KMS key ARN copied at step no. 5 into the Filter keys by properties or tags, then press Enter. If the Amazon KMS console returns a key with the alias (name) set to aws/es, the data on the selected Amazon OpenSearch domain is encrypted at rest using an AWS managed-key instead of a Customer-Managed Key (CMK).
09 Repeat steps no. 4 – 8 for each OpenSearch domain available within the current AWS region.
10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:
aws es list-domain-names --region us-east-1 --query 'DomainNames[*].DomainName'
02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:
[ "trendmicro", "cloudconformity" ]
03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) with the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom output filters to describe the ARN of the KMS key used to encrypt the data on the selected domain:
aws es describe-elasticsearch-domain --region us-east-1 --domain-name trendmicro --query 'DomainStatus.EncryptionAtRestOptions.KmsKeyId'
04 The command output should return the requested ARN or null if there is no KMS key used to encrypt the domain's data, i.e. the encryption at rest is not enabled:
"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
05 Run describe-key command (OSX/Linux/UNIX) with the ARN of the KMS key returned at the previous step as the identifier parameter, to determine the type of the encryption key used for the selected domain (AWS-managed or customer-managed):
aws kms describe-key --region us-east-1 --key-id "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd" --query 'KeyMetadata.KeyManager'
06 The command output should the key manager ("AWS" if the KMS key is AWS-managed or "CUSTOMER" if the key is customer-managed):
"AWS"
If the describe-key command output returns "AWS", as shown in the example above, the data on the selected Amazon OpenSearch domain is encrypted at rest using an AWS-managed key (default key) instead of a Customer-Managed Key (CMK).
07 Repeat steps no. 3 – 6 for each Amazon OpenSearch domain available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
To encrypt an existing Amazon OpenSearch domain with your own KMS Customer-Managed Key (CMK), you must re-create the domain with the necessary encryption configuration. To create a new CMK, set up your OpenSearch domain, enable custom encryption, and copy your existing data to the new domain, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "Enable Encryption of Data at Rest using Customer-Managed Keys", "Resources": { "OpenSearchDomain": { "Type":"AWS::OpenSearchService::Domain", "Properties": { "DomainName": "cc-opensearch-domain", "EngineVersion": "OpenSearch_1.1", "ClusterConfig": { "InstanceType": "t3.small.search", "InstanceCount": "2" }, "EBSOptions": { "EBSEnabled": true, "VolumeSize": "30", "VolumeType": "gp2" }, "EncryptionAtRestOptions": { "Enabled": true, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" }, "AccessPolicies": { "Version":"2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*" } ] } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Description: Enable Encryption of Data at Rest using Customer-Managed Keys Resources: OpenSearchDomain: Type: AWS::OpenSearchService::Domain Properties: DomainName: cc-opensearch-domain EngineVersion: OpenSearch_1.1 ClusterConfig: InstanceType: t3.small.search InstanceCount: '2' EBSOptions: EBSEnabled: true VolumeSize: '30' VolumeType: gp2 EncryptionAtRestOptions: Enabled: true KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234 AccessPolicies: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: arn:aws:iam::123456789012:user/cc-opensearch-user Action: es:* Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { region = "us-east-1" } resource "aws_opensearch_domain" "opensearch-domain" { domain_name = "cc-opensearch-domain" engine_version = "OpenSearch_1.1" cluster_config { instance_type = "t3.small.search" instance_count = 1 } ebs_options { ebs_enabled = true volume_size = 30 volume_type = "gp2" } # Enable Encryption of Data at Rest using Customer-Managed Keys encrypt_at_rest { enabled = true kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" } access_policies = <<POLICY { "Version": "2012-10-17", "Statement":[ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*" } ] } POLICY }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms.
03 In the main navigation panel, select Customer managed keys, choose Create key, and perform the following operations to create a new Customer-Managed Key (CMK):
- For Step 1 Configure key, perform the following actions:
- Choose Symmetric for Key type.
- Select KMS for Key usage.
- Choose Advanced options, select KMS - recommended for Key material origin, and choose whether to allow your KMS key to be replicated into other AWS cloud regions. If Single-Region key is selected, the AWS region must match the region of your custom model.
- Select Next to continue the key setup process.
- For Step 2 Add labels, provide the following details:
- Provide a unique name (alias) for your KMS key in the Alias box.
- (Optional) Enter a short description in the Description box.
- (Optional) Choose Add tag from the Tags - optional section to create any necessary tag sets. Tags can be used to categorize and identify your KMS keys and help you track your AWS costs.
- Select Next to continue the setup.
- For Step 3 Define key administrative permissions, perform the following operations:
- For Key administrators, select which IAM users and/or roles can administer your new key through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console.
- For Key deletion, choose whether to allow key administrators to delete your KMS key.
- Select Next to continue the setup process.
- For Step 4 Define key usage permissions, perform the following actions:
- For Key users, select which IAM users and/or roles can use your KMS key in cryptographic operations.
- (Optional) For Other AWS accounts section, specify the AWS accounts that can use your key. To configure cross-account access, choose Add another AWS account and enter the ID of the AWS cloud account that can use your KMS key for cryptographic operations. The administrators of the AWS accounts you specify at this step are responsible for managing the permissions that allow their IAM users and/or roles to use your key.
- Select Next to continue the setup.
- For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer Managed Key (CMK).
04 Once your new KMS Customer Managed Key (CMK) is available, navigate to Amazon OpenSearch Service console available at https://console.aws.amazon.com/aos/home.
05 In the main navigation panel, under Managed clusters, select Domains.
06 Click on the name (link) of the OpenSearch domain that you want to re-create and copy the domain configuration information.
07 Go back to the Domains page, choose Create domain, and perform the following operations to deploy your new OpenSearch domain:
- For Name, provide a unique name for your new OpenSearch domain in the Domain name box.
- For Domain creation method, choose Standard create.
- For Templates, choose between the Production template or Dev/test template.
- For Deployment option(s), choose the deployment type that corresponds to the availability goals for your OpenSearch application.
- For Engine options, select the OpenSearch/Elasticsearch version that you want to use for your new domain. We recommend selecting the latest version.
- For Data nodes, configure the cluster data nodes using the configuration information identified at step no. 6.
- For Warm and cold data storage, choose whether to enable the UltraWarm feature.
- For Dedicated master nodes, configure the master nodes for your new OpenSearch domain.
- For Custom endpoint, choose whether to add a custom endpoint using Amazon Certificate Manager (ACM).
- For Network, configure the networking settings for your new domain (must match the networking configuration of the source domain).
- For Fine-grained access control, uncheck the Enable fine-grained access control setting checkbox to disable fine-grained access control for the new domain.
- For Access policy, configure the domain's access policy. Access policies control whether a request is accepted or rejected when it reaches the OpenSearch domain.
- For Encryption, check the Enable encryption of data at rest checkbox, select Choose a different AWS KMS key (advanced), and choose the ID of the Amazon KMS Customer-Managed Key (CMK) created earlier in the Remediation process. Check both Require HTTPS for all traffic to the domain and Node-to-node encryption checkboxes to enable in-transit and node-to-node encryption for the domain.
- For Off-peak window, configure the off-peak window necessary to schedule service software updates and Auto-Tune optimizations that require a blue/green deployment.
- For Auto-Tune, choose whether to use the Auto-Tune feature. Auto-Tune analyzes cluster performance over time and suggests optimizations based on your workload.
- For Automatic software update, check the Enable automatic software update checkbox to enable automatic software updates.
- (Optional) For Tags - optional, choose Add new tag to create any necessary tag sets. Tags can be used to categorize and identify your resource and help you track your AWS costs.
- (Optional) For Advanced cluster settings - optional, configure any advanced settings available for the OpenSearch domain (must match the networking configuration of the source domain).
- Choose Create to provision your new, CMK-encrypted Amazon OpenSearch domain.
08 Once the new Amazon OpenSearch domain is available, upload the data from the source domain to the destination (new) domain.
09 (Optional) You can remove the source OpenSearch domain from your AWS account in order to avoid further charges. To delete the unneeded domain, perform the following actions:
- In the main navigation panel, under Managed clusters, select Domains.
- Select the Amazon OpenSearch domain that you want to remove and choose Delete.
- In the Delete domain? confirmation box, type the name of your domain in the required field, then choose Delete to confirm deletion.
10 Repeat steps no. 6 - 9 to enable encryption at rest using Customer-Managed Keys for each OpenSearch domain available within the current AWS region.
11 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.
Using AWS CLI
01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer-Managed Key (CMK) and to encrypt/decrypt your OpenSearch domain data using the KMS API. Create a new policy document (JSON format), name the file opensearch-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{ "Id": "protected-cmk-policy", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }
02 Run create-key command (OSX/Linux/UNIX) with the policy document created at the previous step (i.e.opensearch-data-cmk-policy.json) as value for the --policy parameter, to create your new Amazon KMS Customer-Managed Key (CMK):
aws kms create-key --region us-east-1 --description 'Customer-Managed Key for OpenSearch Data Encryption' --policy file://opensearch-data-cmk-policy.json --query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer-Managed Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
04 Run create-alias command (OSX/Linux/UNIX) with the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):
aws kms create-alias --region us-east-1 --alias-name alias/OpenSearchDataCMK --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
05 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) with the name of the Amazon OpenSearch domain that you want to re-create as the identifier parameter and custom output filters to describe the configuration information available for the selected domain:
aws es describe-elasticsearch-domain --region us-east-1 --domain-name trendmicro
06 The command output should return the configuration information available for the selected OpenSearch domain:
{ "DomainStatus": { "DomainId": "123456789012/trendmicro", "DomainName": "trendmicro", "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro", "Created": true, "Deleted": false, "Endpoint": "search-trendmicro-abcd1234abcdabcd1234abcd.us-east-1.es.amazonaws.com", "Processing": false, "UpgradeProcessing": false, "ElasticsearchVersion": "7.9", "ElasticsearchClusterConfig": { "InstanceType": "t3.small.elasticsearch", "InstanceCount": 3, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": false, "WarmEnabled": false, "ColdStorageOptions": { "Enabled": false } }, "EBSOptions": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": 15 }, "AccessPolicies": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}", "SnapshotOptions": {}, "CognitoOptions": { "Enabled": false }, "EncryptionAtRestOptions": { "Enabled": true, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12341234-abcd-abcd-abcd-123412341234" }, "NodeToNodeEncryptionOptions": { "Enabled": false }, "AdvancedOptions": { "indices.fielddata.cache.size": "", "override_main_response_version": "false", "rest.action.multi.allow_explicit_index": "false" }, "ServiceSoftwareOptions": { "CurrentVersion": "R20211203-P2", "NewVersion": "", "UpdateAvailable": false, "Cancellable": false, "UpdateStatus": "COMPLETED", "Description": "There is no software update available for this domain.", "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00", "OptionalDeployment": false }, "DomainEndpointOptions": { "EnforceHTTPS": false, "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", "CustomEndpointEnabled": false }, "AdvancedSecurityOptions": { "Enabled": false, "InternalUserDatabaseEnabled": false }, "AutoTuneOptions": { "State": "ENABLE_IN_PROGRESS" } } }
07 Run create-elasticsearch-domain command (OSX/Linux/UNIX) with the configuration information returned at the previous step to re-create the selected Amazon OpenSearch domain with the necessary encryption configuration (i.e. using the Customer-Managed Key created earlier in the Remediation process). Replace the KmsKeyId parameter value with the key ARN returned at step no. 3:
aws es create-elasticsearch-domain --region us-east-1 --domain-name trendmicro-v2 --elasticsearch-version 7.9 --elasticsearch-cluster-config InstanceType=t3.small.elasticsearch,InstanceCount=3 --ebs-options EBSEnabled=true,VolumeType=gp2,VolumeSize=15 --encryption-at-rest-options Enabled=true,KmsKeyId="arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" --access-policies '{"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "*" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*" } ] }'
08 The command output should return the configuration information available for the new OpenSearch domain:
{ "DomainStatus": { "DomainId": "123456789012/trendmicro-v2", "DomainName": "trendmicro-v2", "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro-v2", "Created": true, "Deleted": false, "Endpoint": "search-trendmicro-v2-abcd1234abcdabcd1234abcd.us-east-1.es.amazonaws.com", "Processing": false, "UpgradeProcessing": false, "ElasticsearchVersion": "7.9", "ElasticsearchClusterConfig": { "InstanceType": "t3.small.elasticsearch", "InstanceCount": 3, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": false, "WarmEnabled": false, "ColdStorageOptions": { "Enabled": false } }, "EBSOptions": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": 15 }, "AccessPolicies": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}", "SnapshotOptions": {}, "CognitoOptions": { "Enabled": false }, "EncryptionAtRestOptions": { "Enabled": true, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234" }, "NodeToNodeEncryptionOptions": { "Enabled": false }, "AdvancedOptions": { "indices.fielddata.cache.size": "", "override_main_response_version": "false", "rest.action.multi.allow_explicit_index": "false" }, "ServiceSoftwareOptions": { "CurrentVersion": "R20211203-P2", "NewVersion": "", "UpdateAvailable": false, "Cancellable": false, "UpdateStatus": "COMPLETED", "Description": "There is no software update available for this domain.", "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00", "OptionalDeployment": false }, "DomainEndpointOptions": { "EnforceHTTPS": false, "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", "CustomEndpointEnabled": false }, "AdvancedSecurityOptions": { "Enabled": false, "InternalUserDatabaseEnabled": false }, "AutoTuneOptions": { "State": "ENABLE_IN_PROGRESS" } } }
09 Once your new OpenSearch domain is available, upload the data from the source domain to the destination (new) domain.
10 (Optional) You can remove the source OpenSearch domain from your AWS account in order to avoid further charges. To shut it down, run delete-elasticsearch-domain command (OSX/Linux/UNIX) with the name of the OpenSearch domain that you want to delete as the identifier parameter:
aws es delete-elasticsearch-domain --region us-east-1 --domain-name trendmicro
11 The command output should return the configuration information of the removed OpenSearch domain:
{ "DomainStatus": { "DomainId": "123456789012/trendmicro", "DomainName": "trendmicro", "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro", "Created": true, "Deleted": false, "Endpoint": "search-trendmicro-abcd1234abcdabcd1234abcd.us-east-1.es.amazonaws.com", "Processing": false, "UpgradeProcessing": false, "ElasticsearchVersion": "7.9", "ElasticsearchClusterConfig": { "InstanceType": "t3.small.elasticsearch", "InstanceCount": 3, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": false, "WarmEnabled": false, "ColdStorageOptions": { "Enabled": false } }, "EBSOptions": { "EBSEnabled": true, "VolumeType": "gp2", "VolumeSize": 15 }, "AccessPolicies": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}", "SnapshotOptions": {}, "CognitoOptions": { "Enabled": false }, "EncryptionAtRestOptions": { "Enabled": true, "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12341234-abcd-abcd-abcd-123412341234" }, "NodeToNodeEncryptionOptions": { "Enabled": false }, "AdvancedOptions": { "indices.fielddata.cache.size": "", "override_main_response_version": "false", "rest.action.multi.allow_explicit_index": "false" }, "ServiceSoftwareOptions": { "CurrentVersion": "R20211203-P2", "NewVersion": "", "UpdateAvailable": false, "Cancellable": false, "UpdateStatus": "COMPLETED", "Description": "There is no software update available for this domain.", "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00", "OptionalDeployment": false }, "DomainEndpointOptions": { "EnforceHTTPS": false, "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", "CustomEndpointEnabled": false }, "AdvancedSecurityOptions": { "Enabled": false, "InternalUserDatabaseEnabled": false }, "AutoTuneOptions": { "State": "ENABLE_IN_PROGRESS" } } }
12 Repeat steps no. 5 – 11 to enable encryption at rest using Customer-Managed Keys for each OpenSearch domain available in the selected AWS region.
13 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 12 to perform the Remediation process for other regions.
References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Encryption of data at rest for Amazon OpenSearch Service
- Create an Amazon OpenSearch Service domain
- Upload data to Amazon OpenSearch Service for indexing
- Delete an Amazon OpenSearch Service domain
- AWS Command Line Interface (CLI) Documentation
- list-domain-names
- describe-elasticsearch-domain
- create-elasticsearch-domain
- kms
- describe-key
- create-key
- create-alias
- CloudFormation Documentation
- Amazon OpenSearch Service resource type reference
- Terraform Documentation
- AWS Provider