Ensure that your Amazon ElasticSearch (ES) domains are encrypted in order to meet security and compliance requirements. Encryption of data at rest helps prevent unauthorized users from reading sensitive information available on your ES domains (clusters) and their storage systems. This includes all data stored on the underlying file systems, primary and replica indices, log files, memory swap files and automated snapshots saved to S3. Amazon ElasticSearch handles the encryption/decryption process seamlessly, so you don’t have to modify your applications to access your data. The ElasticSearch at-rest encryption feature uses AWS KMS service to store and manage the encryption keys.
This rule can help you with the following compliance standards:
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When working with production data that contains sensitive information, it is highly recommended to implement encryption at rest in order to protect it from unauthorized access and fulfill any compliance requirements available within your organization.
Note: At-rest encryption can be enabled only for AWS ES domains with ElasticSearch version 5.1 and above.
To determine if data-at-rest encryption is enabled for your AWS ES domains, perform the following:
Remediation / Resolution
To enable at-rest encryption for your existing AWS ElasticSearch domains, you must re-create them with the necessary encryption configuration. To relaunch the required ES domains, perform the following:
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Encryption of Data at Rest for Amazon Elasticsearch Service
- Step 1: Create an Amazon ES Domain
- Step 2: Upload Data to an Amazon ES Domain for Indexing
- Step 4: Delete an Amazon ES Domain
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Encryption At Rest
Risk level: High