Description : 

The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. Node-to-node encryption on new domains requires Elasticsearch 6.0 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later.


If you send data to Amazon ES over HTTPS, node-to-node encryption helps ensure that your data remains encrypted as Elasticsearch distributes (and redistributes) it throughout the cluster. If data arrives unencrypted over HTTP, Amazon ES encrypts it after it reaches the cluster.


The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure.

Default Value:

By default, Elasticsearch node-to-node encryption is YES


  • Create an elastic search 


Test Plan: 

To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:

Step1: Sign in to the AWS Management Console.

Step2: Go to ElasticSearch service dashboard at

Step3: Choose the ElasticSearch cluster that you want to check and click on it.

Step4: In  security configuration we have to check about node to node encryption is enabled.

Step5:Check whether the Node-to-node encryption attribute value is yes

Using AWS CLI:

It will gives the node to node encryption is yes or no  

aws es describe-elasticsearch-domain
--region <region-name>
--domain-name <domain-name>
--query 'DomainStatus.NodeToNodeEncryptionOptions.yes


  • Log in to AWS account with Admin access 

  • Go to opensearch service on the AWS Console

  • Choose the ES domain that you want to examine

  • Click on Security Configuration 
  • Click on Edit

  •  Then it will navigate to edit security configuration click on the check box

  • Click on Save Changes

Using AWS CLI:

This command is used to check whether Node-to-Node Encryption is enabled or not

aws es create-elasticsearch-domain
  --region us-east-1
  --domain-name cc-project5-fully-encrypted-cluster
  --elasticsearch-version 6.3
  --elasticsearch-cluster-config InstanceType=m4.large.elasticsearch,InstanceCount=4
  --ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=50
  --access-policies file://source-es-domain-access-policy.json
  --vpc-options SubnetIds=subnet-abcd1234,SecurityGroupIds=sg-012345678abcdabcd
  --encryption-at-rest-options Enabled=true,KmsKeyId="abcd1234-aaaa-bbbb-cccc-aabbccdd1234"
  --node-to-node-encryption-options Enabled=true


  • Once enable the node to node encryption we can’t disable it.


To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration.

References : 

Node-to-node encryption for Amazon OpenSearch Service - Amazon OpenSearch Service 

Step 4: Delete an OpenSearch Service domain - Amazon OpenSearch Service