Use the Conformity Knowledge Base AI to help improve your Cloud Posture

OpenSearch Domain Encrypted with KMS CMKs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ES-013

Ensure that your Amazon OpenSearch domains are using KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by Amazon OpenSearch when there are no customer master keys defined) in order to have a more granular control over your cluster data encryption/decryption process.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When you define and use your own Amazon KMS Customer Master Keys (CMKs) to protect the OpenSearch data, you gain full control over who can use these keys to access the cluster data (including the system metadata and any automated and manual snapshots). The Amazon KMS service allows you to create, rotate, disable, and audit CMKs for your OpenSearch domains.


Audit

To determine the encryption status and configuration for your Amazon OpenSearch domains, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch domain that you want to examine.

05 Select the Security configuration tab and check the Encryption at rest attribute value listed in the Encryption section. If Encryption at rest is set to No, the encryption at rest is not enabled for the selected OpenSearch domain. If Encryption at rest is set to Yes, copy the AWS KMS key attribute value (i.e. KMS key ARN).

06 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

07 In the main navigation panel, under Key Management Service (KMS), select AWS managed keys.

08 Paste the KMS key ARN copied at step no. 5 into the Filter keys by alias or key ID, then press Enter. If the Amazon KMS console returns a key entry with the alias (name) set to aws/es, the data on the selected Amazon OpenSearch domain is encrypted using the default master key (AWS-managed key) instead of a customer-managed Customer Master Key (CMK).

09 Repeat steps no. 4 – 8 for each OpenSearch domain available within the current AWS region.

10 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
    "trendmicro",
    "cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the ARN of the KMS key used to encrypt the data on the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.EncryptionAtRestOptions.KmsKeyId'

04 The command output should return the requested ARN or null if there is no KMS key used to encrypt the domain's data, i.e. the encryption at rest is not enabled:

"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"

05 Run describe-key command (OSX/Linux/UNIX) using the ARN of the master key returned at the previous step as the identifier parameter to describe manager of the specified KMS key:

aws kms describe-key
  --region us-east-1
  --key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  --query 'KeyMetadata.KeyManager'

06 The command output should the master key manager ("AWS" if the master key is AWS-managed, and "CUSTOMER" if the key is customer-managed):

"AWS"

If the describe-key command output returns "AWS", as shown in the example above, the data on the selected Amazon OpenSearch domain is encrypted using the default master key (AWS-managed key) instead of a customer-managed Customer Master Key (CMK).

07 Repeat steps no. 3 – 6 for each Amazon OpenSearch domain available in the selected AWS region.

08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To encrypt an existing Amazon OpenSearch domain with your own KMS Customer Master Key (CMK), you must re-create the domain with the necessary encryption configuration. To create a new CMK, set up the new OpenSearch domain, enable custom encryption, and copy your existing data to the new domain, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Encryption of Data at Rest using Customer Master Keys",
	"Resources": {
	"OpenSearchDomain": {
		"Type":"AWS::OpenSearchService::Domain",
		"Properties": {
			"DomainName": "cc-opensearch-domain",
			"EngineVersion": "OpenSearch_1.1",
			"ClusterConfig": {
				"InstanceType": "t3.small.search",
				"InstanceCount": "2"
			},
			"EBSOptions": {
				"EBSEnabled": true,
				"VolumeSize": "30",
				"VolumeType": "gp2"
			},
			"EncryptionAtRestOptions": {
				"Enabled": true,
				"KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
			},
			"AccessPolicies": {
				"Version":"2012-10-17",
				"Statement":[
				{
					"Effect": "Allow",
					"Principal": {
						"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
					},
					"Action":"es:*",
					"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
				}
				]
			}
		}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Encryption of Data at Rest using Customer Master Keys
	Resources:
		OpenSearchDomain:
		Type: AWS::OpenSearchService::Domain
		Properties:
			DomainName: cc-opensearch-domain
			EngineVersion: OpenSearch_1.1
			ClusterConfig:
			InstanceType: t3.small.search
			InstanceCount: '2'
			EBSOptions:
			EBSEnabled: true
			VolumeSize: '30'
			VolumeType: gp2
			EncryptionAtRestOptions:
			Enabled: true
			KmsKeyId: arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234
			AccessPolicies:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:user/cc-opensearch-user
				Action: es:*
				Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"
	engine_version = "OpenSearch_1.1"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 1
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 30
		volume_type = "gp2"
	}

	# Enable Encryption of Data at Rest using Customer Master Keys
	encrypt_at_rest {
		enabled = true
		kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
	}

	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement":[
			{
				"Effect": "Allow",
				"Principal": {
				"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
				},
				"Action":"es:*",
				"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
			}
		]
	}
	POLICY

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon KMS console at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, under Key Management Service (KMS), select Customer managed keys.

04 Choose the Create Key button from the console top menu to initiate the CMK setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric from the Key type section. A symmetric key is a single encryption key that can be used for both encrypt and decrypt operations.
  2. Under Advanced options, for Key material origin, select KMS as the source of the key material within the CMK.
  3. Under Advanced options, for Regionality, select whether to allow the new key to be replicated into other AWS regions.
  4. Choose Next to continue.

06 For Step 2 Add labels, type a unique name (alias) for your new master key in the Alias box and provide a short description for the key in Description – optional box. (Optional) Use the Add tag button to create tags in order categorize and identify your CMK. Choose Next to continue the setup process.

07 For Step 3 Define key administrative permissions, choose which IAM users and/or roles can administer your new CMK from the Key administrators section. You may need to add additional permissions for the users or roles to administer the key from the AWS console. For Key deletion, select Allow key administrators to delete this key. Choose Next to continue.

08 For Step 4 Define key usage permissions, within This account section, select which IAM users and/or roles can use the new Customer Master Key for cryptographic operations. (Optional) In the Other AWS accounts section, choose Add another AWS account and enter an external AWS account ID in order to specify the external AWS account that can use the new key to encrypt and decrypt your OpenSearch data. The owners of the external AWS accounts must also provide access to this CMK by creating appropriate policies for their IAM users. Choose Next to continue.

09 For Step 5 Review, review the policy available in the Key policy section, then choose Finish to create your new Customer Master Key (CMK). Once the key is successfully created, the Amazon KMS console will display the following confirmation message: "Success. Your customer master key was created with alias <key-alias> and key ID <key-id>".

10 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

11 In the main navigation panel, under Dashboard, select Domains.

12 Click on the name of the OpenSearch domain that you want to re-create and copy the domain configuration information.

13 Navigate back to the Domains page and choose Create domain to initiate the domain setup process.

14 On the Create domain setup page, perform the following actions:

  1. In the Name section, provide a unique name for your new OpenSearch domain in the Domain name box.
  2. In the Fine-grained access control section, deselect the Enable fine-grained access control setting to disable fine-grained access control for the new domain.
  3. In the Encryption section, choose Enable encryption of data at rest, select Choose a different AWS KMS key (advanced), and choose the ID of the KMS Customer Master Key (CMK) created earlier in the Remediation process.
  4. Configure the rest of the domain settings using the configuration information copied at step no. 12.
  5. Choose Create to provision your new Amazon OpenSearch domain.

15 Once the new OpenSearch domain is created, upload the data from the source domain to the destination (new) domain.

16 (Optional) You can remove the source OpenSearch domain from your AWS account in order to avoid further charges. To delete the unneeded domain, perform the following actions:

  1. In the main navigation panel, under Dashboard, select Domains.
  2. Select the Amazon OpenSearch domain that you want to remove.
  3. Choose Delete from the console top menu to initiate the removal process.
  4. In the Delete domain? confirmation box, type the name of the resource in the required field, then choose Delete to confirm deletion.

17 Repeat steps no. 12 – 16 to enable encryption at rest using Customer Master Keys for each OpenSearch domain available within the current AWS region.

18 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Define the policy that enables the selected IAM users and/or roles to manage your new Customer Master Key (CMK), and to encrypt/decrypt your OpenSearch domain data using the KMS API. Create a new policy document (JSON format), name the file opensearch-data-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):

{
  "Id": "protected-cmk-policy",
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow access for Key Administrators",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:Create*",
              "kms:Describe*",
              "kms:Enable*",
              "kms:List*",
              "kms:Put*",
              "kms:Update*",
              "kms:Revoke*",
              "kms:Disable*",
              "kms:Get*",
              "kms:Delete*",
              "kms:TagResource",
              "kms:UntagResource",
              "kms:ScheduleKeyDeletion",
              "kms:CancelKeyDeletion"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey*",
              "kms:DescribeKey"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::<aws-account-id>:role/<role-name>"
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}

02 Run create-key command (OSX/Linux/UNIX) using the policy document created at the previous step (i.e. opensearch-data-cmk-policy.json) as value for the --policy parameter, to create your new, customer-managed Customer Master Key (CMK):

aws kms create-key
  --region us-east-1
  --description 'Customer Master Key for OpenSearch Data Encryption'
  --policy file://opensearch-data-cmk-policy.json
  --query 'KeyMetadata.Arn'

03 The command output should return the ARN of the new Customer Master Key (CMK):

"arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to attach an alias to the new CMK. The alias must start with the prefix "alias/" (the command should not produce an output):

aws kms create-alias
  --region us-east-1
  --alias-name alias/OpenSearchDataCMK
  --target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234

05 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch domain that you want to re-create as the identifier parameter and custom query filters to describe the configuration information available for the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro

06 The command output should return the configuration details available for the selected OpenSearch domain:

{
    "DomainStatus": {
        "DomainId": "123456789012/trendmicro",
        "DomainName": "trendmicro",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro",
        "Created": true,
        "Deleted": false,
        "Endpoint": "search-trendmicro-abcd1234abcdabcd1234abcd.us-east-1.es.amazonaws.com",
        "Processing": false,
        "UpgradeProcessing": false,
        "ElasticsearchVersion": "7.9",
        "ElasticsearchClusterConfig": {
            "InstanceType": "t3.small.elasticsearch",
            "InstanceCount": 3,
            "DedicatedMasterEnabled": false,
            "ZoneAwarenessEnabled": false,
            "WarmEnabled": false,
            "ColdStorageOptions": {
                "Enabled": false
            }
        },
        "EBSOptions": {
            "EBSEnabled": true,
            "VolumeType": "gp2",
            "VolumeSize": 15
        },
        "AccessPolicies": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}",
        "SnapshotOptions": {},
        "CognitoOptions": {
            "Enabled": false
        },
        "EncryptionAtRestOptions": {
            "Enabled": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12341234-abcd-abcd-abcd-123412341234"
        },
        "NodeToNodeEncryptionOptions": {
            "Enabled": false
        },
        "AdvancedOptions": {
            "indices.fielddata.cache.size": "",
            "override_main_response_version": "false",
            "rest.action.multi.allow_explicit_index": "false"
        },
        "ServiceSoftwareOptions": {
            "CurrentVersion": "R20211203-P2",
            "NewVersion": "",
            "UpdateAvailable": false,
            "Cancellable": false,
            "UpdateStatus": "COMPLETED",
            "Description": "There is no software update available for this domain.",
            "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00",
            "OptionalDeployment": false
        },
        "DomainEndpointOptions": {
            "EnforceHTTPS": false,
            "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07",
            "CustomEndpointEnabled": false
        },
        "AdvancedSecurityOptions": {
            "Enabled": false,
            "InternalUserDatabaseEnabled": false
        },
        "AutoTuneOptions": {
            "State": "ENABLE_IN_PROGRESS"
        }
    }
}

07 Run create-elasticsearch-domain command (OSX/Linux/UNIX) using the configuration information returned at the previous step to re-create the selected Amazon OpenSearch domain with the necessary encryption configuration (i.e. using the KMS Customer Master Key created earlier in the Remediation process). Replace the KmsKeyId parameter value with the key ARN returned at step no. 3:

aws es create-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro-v2
  --elasticsearch-version 7.9
  --elasticsearch-cluster-config InstanceType=t3.small.elasticsearch,InstanceCount=3
  --ebs-options EBSEnabled=true,VolumeType=gp2,VolumeSize=15
  --encryption-at-rest-options Enabled=true,KmsKeyId="arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
  --access-policies '{"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "*" }, "Action":"es:*", "Resource": "arn:aws:es:us-east-1:123456789012:domain/trendmicro/*" } ] }'

08 The command output should return the configuration metadata available for the new OpenSearch domain:

{
    "DomainStatus": {
        "DomainId": "123456789012/trendmicro-v2",
        "DomainName": "trendmicro-v2",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro-v2",
        "Created": true,
        "Deleted": false,
        "Endpoint": "search-trendmicro-v2-abcd1234abcdabcd1234abcd.us-east-1.es.amazonaws.com",
        "Processing": false,
        "UpgradeProcessing": false,
        "ElasticsearchVersion": "7.9",
        "ElasticsearchClusterConfig": {
            "InstanceType": "t3.small.elasticsearch",
            "InstanceCount": 3,
            "DedicatedMasterEnabled": false,
            "ZoneAwarenessEnabled": false,
            "WarmEnabled": false,
            "ColdStorageOptions": {
                "Enabled": false
            }
        },
        "EBSOptions": {
            "EBSEnabled": true,
            "VolumeType": "gp2",
            "VolumeSize": 15
        },
        "AccessPolicies": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}",
        "SnapshotOptions": {},
        "CognitoOptions": {
            "Enabled": false
        },
        "EncryptionAtRestOptions": {
            "Enabled": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
        },
        "NodeToNodeEncryptionOptions": {
            "Enabled": false
        },
        "AdvancedOptions": {
            "indices.fielddata.cache.size": "",
            "override_main_response_version": "false",
            "rest.action.multi.allow_explicit_index": "false"
        },
        "ServiceSoftwareOptions": {
            "CurrentVersion": "R20211203-P2",
            "NewVersion": "",
            "UpdateAvailable": false,
            "Cancellable": false,
            "UpdateStatus": "COMPLETED",
            "Description": "There is no software update available for this domain.",
            "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00",
            "OptionalDeployment": false
        },
        "DomainEndpointOptions": {
            "EnforceHTTPS": false,
            "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07",
            "CustomEndpointEnabled": false
        },
        "AdvancedSecurityOptions": {
            "Enabled": false,
            "InternalUserDatabaseEnabled": false
        },
        "AutoTuneOptions": {
            "State": "ENABLE_IN_PROGRESS"
        }
    }
}

09 Once the new OpenSearch domain is created, upload the data from the source domain to the destination (new) domain.

10 (Optional) You can remove the source OpenSearch domain from your AWS account in order to avoid further charges. To shut it down, run delete-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the OpenSearch domain that you want to delete as the identifier parameter:

aws es delete-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro

11 The command output should return the configuration metadata of the removed OpenSearch domain:

{
    "DomainStatus": {
        "DomainId": "123456789012/trendmicro",
        "DomainName": "trendmicro",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro",
        "Created": true,
        "Deleted": false,
        "Endpoint": "search-trendmicro-abcd1234abcdabcd1234abcd.us-east-1.es.amazonaws.com",
        "Processing": false,
        "UpgradeProcessing": false,
        "ElasticsearchVersion": "7.9",
        "ElasticsearchClusterConfig": {
            "InstanceType": "t3.small.elasticsearch",
            "InstanceCount": 3,
            "DedicatedMasterEnabled": false,
            "ZoneAwarenessEnabled": false,
            "WarmEnabled": false,
            "ColdStorageOptions": {
                "Enabled": false
            }
        },
        "EBSOptions": {
            "EBSEnabled": true,
            "VolumeType": "gp2",
            "VolumeSize": 15
        },
        "AccessPolicies": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"es:*\",\"Resource\":\"arn:aws:es:us-east-1:123456789012:domain/trendmicro/*\"}]}",
        "SnapshotOptions": {},
        "CognitoOptions": {
            "Enabled": false
        },
        "EncryptionAtRestOptions": {
            "Enabled": true,
            "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/12341234-abcd-abcd-abcd-123412341234"
        },
        "NodeToNodeEncryptionOptions": {
            "Enabled": false
        },
        "AdvancedOptions": {
            "indices.fielddata.cache.size": "",
            "override_main_response_version": "false",
            "rest.action.multi.allow_explicit_index": "false"
        },
        "ServiceSoftwareOptions": {
            "CurrentVersion": "R20211203-P2",
            "NewVersion": "",
            "UpdateAvailable": false,
            "Cancellable": false,
            "UpdateStatus": "COMPLETED",
            "Description": "There is no software update available for this domain.",
            "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00",
            "OptionalDeployment": false
        },
        "DomainEndpointOptions": {
            "EnforceHTTPS": false,
            "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07",
            "CustomEndpointEnabled": false
        },
        "AdvancedSecurityOptions": {
            "Enabled": false,
            "InternalUserDatabaseEnabled": false
        },
        "AutoTuneOptions": {
            "State": "ENABLE_IN_PROGRESS"
        }
    }
}

12 Repeat steps no. 5 – 11 to enable encryption at rest using Customer Master Keys for each OpenSearch domain available in the selected AWS region.

13 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 12 to perform the Remediation process for other regions.

References

Publication date Feb 2, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

OpenSearch Domain Encrypted with KMS CMKs

Risk Level: High