Ensure that the data on your Amazon OpenSearch domains is encrypted at rest in order to meet security and compliance requirements. Encryption of data at rest helps prevent unauthorized users from reading sensitive information available on your domains. This includes all data stored on the underlying file systems, primary and replica indices, log files, memory swap files and automated snapshots saved to S3. Amazon OpenSearch handles the encryption/decryption process seamlessly, so you don’t have to modify your applications to access your data. The encryption feature uses the Amazon KMS service to store and manage the encryption keys.
This rule can help you with the following compliance standards:
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with production data that contains sensitive information, it is strongly recommended to implement encryption at rest in order to protect the data from unauthorized access and fulfill any compliance requirements promoted within your organization.
Audit
To determine if data-at-rest encryption is enabled for your Amazon OpenSearch domains, perform the following operations:
Remediation / Resolution
To enable encryption of data at rest for your Amazon OpenSearch domains (clusters), perform the following operations:
References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Encryption of data at rest for Amazon OpenSearch Service
- Step 1: Create an OpenSearch Service domain
- Step 2: Upload data to OpenSearch Service for indexing
- Step 4: Delete an OpenSearch Service domain
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain
- CloudFormation Documentation
- Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) resource type reference
- Terraform Documentation
- AWS Provider