Ensure that node-to-node encryption feature is enabled for your AWS ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to cluster encryption and data-at-rest encryption, and meet strict compliance requirements. The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes.
This rule can help you with the following compliance standards:
- HIPAA
- GDPR
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
As a security best practice, it is always recommended to use encryption to promote data security and fulfill any compliance requirements related to data protection available within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure.
Note: Node-to-node encryption is supported only by domains with ElasticSearch version 6.0 or later.
Audit
To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:
Remediation / Resolution
To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration. To relaunch the required ES domains, perform the following actions:
References
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Node-to-node Encryption for Amazon Elasticsearch Service
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 2: Upload Data to an Amazon ES Domain for Indexing
- Step 4: Delete an Amazon ES Domain
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- create-elasticsearch-domain
- delete-elasticsearch-domain
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
ElasticSearch Node To Node Encryption
Risk level: High