OpenSearch Node To Node Encryption

Risk Level: High (not acceptable risk)

Rule ID: ES-015

Ensure that node-to-node encryption is enabled for your Amazon OpenSearch domains (clusters) in order to meet strict compliance requirements and add an extra layer of data protection on top of the existing OpenSearch security features such as client to cluster encryption using HTTPS and data-at-rest encryption. The node-to-node encryption capability provides an additional layer of security by implementing Transport Layer Security (TLS) for all the communications between the data nodes provisioned within the cluster.

This rule can help you with the following compliance standards:

HIPAA
GDPR
APRA
MAS
NIST4

For further details on compliance standards supported by TrendAI Vision One™ Cloud Risk Management, see here.

This rule can help you work with the AWS Well-Architected Framework.

Security

To follow security best practices, it's highly recommended to use encryption in order to promote data security and fulfill any compliance requirements related to data protection required within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between OpenSearch cluster data nodes and keeps the domain's data secure.

Audit

To determine if the communication between OpenSearch cluster data nodes is encrypted, perform the following actions:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
In the main navigation panel, under Dashboard, select Domains.
Click on the name (link) of the OpenSearch domain that you want to examine.
Select the Security configuration tab and check the Node-to-node encryption attribute value listed in the Encryption section. If Node-to-node encryption is set to No, the node-to-node encryption is not enabled for the selected Amazon OpenSearch domain, therefore the communication between the cluster nodes is not encrypted.
Repeat steps no. 4 and 5 for each Amazon OpenSearch domain available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain (cluster) available in the selected AWS region:
```
aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'
```
The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:
```
[
    "trendmicro",
    "example"
]
```
Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to determine if node-to-node encryption is enabled for the selected domain:
```
aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.NodeToNodeEncryptionOptions.Enabled'
```
The command output should return the node-to-node encryption configuration status:
```
false
```
If the describe-elasticsearch-domain command output returns false, as shown in the output example above, the node-to-node encryption is not enabled for the selected Amazon OpenSearch domain (cluster).
Repeat steps no. 3 and 4 for each Amazon OpenSearch domain available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable node-to-node encryption for your Amazon OpenSearch domains (clusters), perform the following actions:

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Node-to-Node Encryption",
	"Resources": {
	"OpenSearchDomain": {
		"Type":"AWS::OpenSearchService::Domain",
		"Properties": {
			"DomainName": "cc-opensearch-domain",
			"EngineVersion": "OpenSearch_1.0",
			"ClusterConfig": {
				"InstanceType": "t3.small.search",
				"InstanceCount": "2"
			},
			"EBSOptions": {
				"EBSEnabled": true,
				"VolumeSize": "30",
				"VolumeType": "gp2"
			},
			"NodeToNodeEncryptionOptions": {
				"Enabled": true
			},
			"AccessPolicies": {
				"Version":"2012-10-17",
				"Statement":[
				{
					"Effect": "Allow",
					"Principal": {
						"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
					},
					"Action":"es:*",
					"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
				}
				]
			}
		}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Enable Node-to-Node Encryption
    Resources:
        OpenSearchDomain:
        Type: AWS::OpenSearchService::Domain
        Properties:
            DomainName: cc-opensearch-domain
            EngineVersion: OpenSearch_1.0
            ClusterConfig:
            InstanceType: t3.small.search
            InstanceCount: '2'
            EBSOptions:
            EBSEnabled: true
            VolumeSize: '30'
            VolumeType: gp2
            NodeToNodeEncryptionOptions:
            Enabled: true
            AccessPolicies:
            Version: '2012-10-17'
            Statement:
                - Effect: Allow
                Principal:
                    AWS: arn:aws:iam::123456789012:user/cc-opensearch-user
                Action: es:*
                Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"
	engine_version = "OpenSearch_1.0"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 1
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 30
		volume_type = "gp2"
	}

	# Enable Node-to-Node Encryption
	node_to_node_encryption {
		enabled = true
	}

	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement":[
			{
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
				},
				"Action":"es:*",
				"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
			}
		]
	}
	POLICY

}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
In the main navigation panel, under Dashboard, select Domains.
Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Edit security configuration.
In the Encryption section, select the Node-to-node encryption checkbox to enable the node-to-node encryption feature for the selected Amazon OpenSearch domain. Once node-to-node encryption is enabled, you will no longer be able to disable or modify the feature settings. Choose Save changes to apply the configuration changes.
Repeat steps no. 4 and 5 to enable node-to-node encryption for other Amazon OpenSearch domains available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to enable node-to-node encryption for the selected OpenSearch domain (cluster):
```
aws es update-elasticsearch-domain-config
				--region us-east-1
				--domain-name trendmicro
				--node-to-node-encryption-options Enabled=true
```

The command output should return the configuration information available for the modified domain:

{
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "t3.small.elasticsearch",
                "InstanceCount": 3,
                "DedicatedMasterEnabled": false,
                "ZoneAwarenessEnabled": false,
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 15
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "VPCOptions": {
            "Options": {},
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.386000+00:00",
                "UpdateVersion": 9,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "EncryptionAtRestOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T18:01:14.941000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "NodeToNodeEncryptionOptions": {
            "Options": {
                "Enabled": true
            },
            "Status": {
                "CreationDate": "2022-01-03T17:49:09.216000+00:00",
                "UpdateDate": "2022-01-03T19:09:03.288000+00:00",
                "UpdateVersion": 9,
                "State": "Processing",
                "PendingDeletion": false
            }
        }
    }
}

Repeat steps no. 1 and 2 to enable node-to-node encryption for other Amazon OpenSearch domains available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
update-elasticsearch-domain

CloudFormation Documentation
Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) resource type reference

Terraform Documentation
AWS Provider

Publication date Oct 15, 2018

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related Elasticsearch rules