Description:
Elasticsearch Service(ES) is a managed service that makes it easy to deploy, operate, and scale Elasticsearch, a popular open-source search, and analytics engine. Amazon ES also offers security options, high availability, data durability, and direct access to the Elasticsearch API.
This policy checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled.
Rationale:
Encrypting storage at rest is critical as it prevents any unauthorized access to your data.
Impact:
If enabled, the feature encrypts the following aspects of a domain:
All indices (including those in UltraWarm storage)
Elasticsearch logs
Swap files
All other data in the application directory
Automated snapshots
Default Value:
Amazon Elasticsearch is not encrypted at rest by default, if encryption is a requirement then it should be enabled manually.
Audit:
Login in to your AWS account.
Navigate to the Elasticsearch service at: https://console.aws.com/open search.
Choose the existing domain in the AWS console.
Click on the Overview tab.
Check under the Encryption section whether the Encryption At Rest option is enabled or not.
Via CLI:
aws es describe-elasticsearch-domain
--region <region-name>
--domain-name <domain-name>
--query 'DomainStatus.EncryptionAtRestOptions
Remediation:
Prerequisites:
Encryption of data at rest on new domains requires Elasticsearch 5.1 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later. To use the Amazon ES console to configure encryption of data at rest, you must have read permissions to AWS KMS.
Cannot enable encryption once created so you have to re-create them with the necessary encryption configuration.
Implementation Steps:
Login into your AWS account.
Navigate to the Elasticsearch service at: https://console.aws.amazon.com/es.
Select the Overview tab and copy the domain configuration information.
Click on Modify access policy button and also copy the policy document available.
- Now create a new domain with the appropriate version and fill the configurations which were in the old domain.
- Enable the Encryption of data at rest option.
- On the Review page, verify if the domain configuration details are the same as the ones copied from the previous domain, and then click Confirm to launch your new AWS ElasticSearch domain with data-at-rest encryption feature enabled.
- (Optional): To reduce incurring charges delete the previous domain which was unencrypted
To delete the Unencrypted domain, perform the following:
Click on the name of the domain that you want to delete.
On the selected domain description page, click on the Delete domain option to start the removal process.
Within the Delete domain dialog box, check Delete the domain <domain_name> then click the Delete button to confirm the action.
Via CLI:
Create new Elasticsearch domain:
aws es create-elasticsearch-domain
--region <region-name>
--domain-name <unique-domain-name>
--elasticsearch-version 5.5
--elasticsearch-cluster-config InstanceType=<instance-type>,InstanceCount=<count>
--ebs-options <ebs-configurations>
--access-policies <file-name.json>
--vpc-options <subnet-id><vpc-id>
--encryption-at-rest-options Enabled=true,KmsKeyId=<"key-name">
Backout Plan:
Sign into the AWS Management Console.
Navigate to the Elasticsearch Service at: https://console.aws.amazon.com/es.
Since you cannot disable the setting manually, a snapshot of the existing domain should be taken.
Create a new domain with the snapshot.
Migrate all the data to the new domain and delete the old domain.
Note:
If you delete the key that you used to encrypt a domain, the domain becomes inaccessible. The Amazon ES team can't help you recover your data.
References:
describe-elasticsearch-domain — AWS CLI 1.20.51 Command Reference
create-elasticsearch-domain — AWS CLI 1.20.51 Command Reference