Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Encryption At Rest

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ES-012

Ensure that the data on your Amazon OpenSearch domains is encrypted at rest in order to meet security and compliance requirements. Encryption of data at rest helps prevent unauthorized users from reading sensitive information available on your domains. This includes all data stored on the underlying file systems, primary and replica indices, log files, memory swap files and automated snapshots saved to S3. Amazon OpenSearch handles the encryption/decryption process seamlessly, so you don’t have to modify your applications to access your data. The encryption feature uses the Amazon KMS service to store and manage the encryption keys.

This rule can help you with the following compliance standards:

  • HIPAA
  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When working with production data that contains sensitive information, it is strongly recommended to implement encryption at rest in order to protect the data from unauthorized access and fulfill any compliance requirements promoted within your organization.


Audit

To determine if data-at-rest encryption is enabled for your Amazon OpenSearch domains, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch domain that you want to examine.

05 Select the Security configuration tab and check the Encryption at rest attribute value listed in the Encryption section. If Encryption at rest is set to No, the encryption at rest is not enabled for the selected Amazon OpenSearch domain, therefore the data stored on the domain file systems, primary and replica indices, log files, memory swap files and so on, is not protected from unauthorized access.

06 Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
    "trendmicro",
    "cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to determine if encryption at rest is enabled for the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.EncryptionAtRestOptions.Enabled'

04 The command output should return the encryption at rest configuration status:

false

If the describe-elasticsearch-domain command output returns false, as shown in the output example above, the encryption at rest is not enabled for the selected Amazon OpenSearch domain (cluster).

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable encryption of data at rest for your Amazon OpenSearch domains (clusters), perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Encryption of Data at Rest",
	"Resources": {
		"OpenSearchDomain": {
			"Type":"AWS::OpenSearchService::Domain",
			"Properties": {
				"DomainName": "cc-opensearch-domain",
				"EngineVersion": "OpenSearch_1.0",
				"ClusterConfig": {
					"InstanceType": "t3.small.search",
					"InstanceCount": "2"
				},
				"EBSOptions": {
					"EBSEnabled": true,
					"VolumeSize": "30",
					"VolumeType": "gp2"
				},
				"EncryptionAtRestOptions": {
					"Enabled": true
				},
				"AccessPolicies": {
					"Version":"2012-10-17",
					"Statement":[
						{
							"Effect": "Allow",
							"Principal": {
								"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
							},
							"Action":"es:*",
							"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
						}
					]
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Enable Encryption of Data at Rest
    Resources:
        OpenSearchDomain:
        Type: AWS::OpenSearchService::Domain
        Properties:
            DomainName: cc-opensearch-domain
            EngineVersion: OpenSearch_1.0
            ClusterConfig:
            InstanceType: t3.small.search
            InstanceCount: '2'
            EBSOptions:
            EBSEnabled: true
            VolumeSize: '30'
            VolumeType: gp2
            EncryptionAtRestOptions:
            Enabled: true
            AccessPolicies:
            Version: '2012-10-17'
            Statement:
                - Effect: Allow
                Principal:
                    AWS: arn:aws:iam::123456789012:user/cc-opensearch-user
                Action: es:*
                Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

Terraform configuration file (.tf):

    ```tf
    terraform {
        required_providers {
            aws = {
                source  = "hashicorp/aws"
                version = "~> 4.0"
            }
        }

        required_version = ">= 0.14.9"
    }

    provider "aws" {
        region  = "us-east-1"
    }

    resource "aws_opensearch_domain" "opensearch-domain" {
        domain_name = "cc-opensearch-domain"
        engine_version = "OpenSearch_1.0"

        cluster_config {
            instance_type = "t3.small.search"
            instance_count = 1
        }

        ebs_options {
        ebs_enabled = true
        volume_size = 30
        volume_type = "gp2"
        }

        # Enable Encryption of Data at Rest
        encrypt_at_rest {
            enabled = true
        }

        access_policies = <<POLICY
		{
			"Version": "2012-10-17",
			"Statement":[
				{
					"Effect": "Allow",
					"Principal": {
						"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
					},
					"Action":"es:*",
					"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
				}
			]
		}
		POLICY

    }

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.

05 In the Encryption section, select the Enable encryption of data at rest checkbox to enable encryption at rest for the selected Amazon OpenSearch domain. For Choose an AWS KMS key, choose whether to use the AWS managed-key (AWS owned key) or to use your own Amazon KMS Customer Master Key (CMK) to encrypt the domain data. Choose Save changes to apply the configuration changes. After you enable encryption of data at rest, you will no longer be able to disable the feature.

06 Repeat steps no. 4 and 5 to enable encryption at rest for other Amazon OpenSearch domains available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to enable encryption of data at rest for the selected OpenSearch domain (cluster). Replace the KmsKeyId parameter value with the ARN of the KMS key that you want to use for domain data encryption:

aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --encryption-at-rest-options Enabled=true,KmsKeyId="arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"

02 The command output should return the configuration information available for the reconfigured domain (cluster):

{
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "t3.small.elasticsearch",
                "InstanceCount": 3,
                "DedicatedMasterEnabled": false,
                "ZoneAwarenessEnabled": false,
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 15
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "VPCOptions": {
            "Options": {},
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EncryptionAtRestOptions": {
            "Options": {
                "Enabled": true,
                "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234abcd1234"
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T19:46:37.481000+00:00",
                "UpdateVersion": 18,
                "State": "Processing",
                "PendingDeletion": false
            }
        },
        "NodeToNodeEncryptionOptions": {
            "Options": {
                "Enabled": true
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.288000+00:00",
                "UpdateVersion": 9,
                "State": "Processing",
                "PendingDeletion": false
            }
        }
    }
}

03 Repeat steps no. 1 and 2 to enable encryption at rest for other Amazon OpenSearch domains available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 19, 2017