Description :
The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. Node-to-node encryption on new domains requires Elasticsearch 6.0 or later. Enabling the feature on existing domains requires Elasticsearch 6.7 or later.
Rationale:
If you send data to Amazon ES over HTTPS, node-to-node encryption helps ensure that your data remains encrypted as Elasticsearch distributes (and redistributes) it throughout the cluster. If data arrives unencrypted over HTTP, Amazon ES encrypts it after it reaches the cluster.
Impact:
The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure.
Default Value:
By default, Elasticsearch node-to-node encryption is YES
Pre-requisites
Create an elastic search
Remediation:
Test Plan:
To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:
Step1: Sign in to the AWS Management Console.
Step2: Go to ElasticSearch service dashboard at https://console.aws.amazon.com/es/.
Step3: Choose the ElasticSearch cluster that you want to check and click on it.
Step4: In security configuration we have to check about node to node encryption is enabled.
Step5:Check whether the Node-to-node encryption attribute value is yes
Using AWS CLI:
It will gives the node to node encryption is yes or no
aws es describe-elasticsearch-domain
--region <region-name>
--domain-name <domain-name>
--query 'DomainStatus.NodeToNodeEncryptionOptions.yes
IMPLEMENTATION
Log in to AWS account with Admin access
Go to opensearch service on the AWS Console https://console.aws.amazon.com/esv3
Choose the ES domain that you want to examine
- Click on Security Configuration
Click on Edit
Then it will navigate to edit security configuration click on the check box
Click on Save Changes
Using AWS CLI:
This command is used to check whether Node-to-Node Encryption is enabled or not
aws es create-elasticsearch-domain --region us-east-1 --domain-name cc-project5-fully-encrypted-cluster --elasticsearch-version 6.3 --elasticsearch-cluster-config InstanceType=m4.large.elasticsearch,InstanceCount=4 --ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=50 --access-policies file://source-es-domain-access-policy.json --vpc-options SubnetIds=subnet-abcd1234,SecurityGroupIds=sg-012345678abcdabcd --encryption-at-rest-options Enabled=true,KmsKeyId="abcd1234-aaaa-bbbb-cccc-aabbccdd1234" --node-to-node-encryption-options Enabled=true
BACKOUT PLAN
Once enable the node to node encryption we can’t disable it.
Note:
To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration.
References :
Node-to-node encryption for Amazon OpenSearch Service - Amazon OpenSearch Service
https://aws.amazon.com/elasticsearch-service/faqs/
Step 4: Delete an OpenSearch Service domain - Amazon OpenSearch Service