Ensure that node-to-node encryption is enabled for your Amazon OpenSearch domains (clusters) in order to meet strict compliance requirements and add an extra layer of data protection on top of the existing OpenSearch security features such as client to cluster encryption using HTTPS and data-at-rest encryption. The node-to-node encryption capability provides an additional layer of security by implementing Transport Layer Security (TLS) for all the communications between the data nodes provisioned within the cluster.
This rule can help you with the following compliance standards:
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
To follow security best practices, it's highly recommended to use encryption in order to promote data security and fulfill any compliance requirements related to data protection required within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between OpenSearch cluster data nodes and keeps the domain's data secure.
Audit
To determine if the communication between OpenSearch cluster data nodes is encrypted, perform the following actions:
Remediation / Resolution
To enable node-to-node encryption for your Amazon OpenSearch domains (clusters), perform the following actions:
References
- AWS Documentation
- Amazon OpenSearch Service FAQs
- Node-to-node encryption for Amazon OpenSearch Service
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 2: Upload data to OpenSearch Service for indexing
- Step 4: Delete an OpenSearch Service domain
- AWS Blog
- Amazon Elasticsearch Service now supports encrypted communication between Elasticsearch nodes
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- update-elasticsearch-domain
- CloudFormation Documentation
- Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) resource type reference
- Terraform Documentation
- AWS Provider