Description:

Amazon Elasticsearch Service (ES) domains store data on disk. If this data is not encrypted, it could be accessed by unauthorized users if the disk is compromised. Enabling encryption at-rest helps to protect this data by encrypting it before it is stored on disk.

Rationale:

Enabling encryption at-rest for ES domains helps to protect your data from unauthorized access. This is important because ES domains can store sensitive data, such as customerPII.

Impact:

Enabling encryption at-rest for ES domains will prevent unauthorized users from accessing the data stored on disk. This will help to protect your data from unauthorized access.

Default Value:

By default, ES domains do not have encryption at-rest enabled.

Pre-requisites:

To enable encryption at-rest for ES domains, you will need to have:

  • An AWS KMS key

Remediation Steps:

To remediate this policy, you can follow these steps:

  1. Enable encryption at-rest for your ES domain.
  2. Test the encryption configuration to make sure that it is working properly.

Test Plan:

To test the encryption configuration, you can follow these steps:

  1. Try to access the data stored on disk without decrypting it.
  2. Try to access the data stored on disk after decrypting it.

Implementation Plan:

To implement this policy, you can follow these steps:

  1. Enable encryption at-rest for your ES domain.
  2. Update the access control policy for your ES domain to allow only authorized users to access the encrypted data.

AWS CLI Process:

To enable encryption at-rest for ES domains using the AWS CLI, you can follow these steps:

  1. Install the AWS CLI.
  2. Configure the AWS CLI with your AWS credentials.
  3. Run the following command to enable encryption at-rest for an ES domain:
aws es enable-encryption-at-rest --domain-name <domain-name> --kms-key-id <kms-key-id>

Using AWS GUI:

To enable encryption at-rest for ES domains using the AWS GUI, you can follow these steps:

  1. Go to the Amazon ES console.
  2. Click on the Domains tab.
  3. Select the domain that you want to enable encryption for.
  4. Click on the Settings tab.
  5. Under the Security section, select the Encryption at rest option.
  6. Enter the KMS key ID that you want to use for encryption.

Backout Plan:

To back out of this policy, you can follow these steps:

  1. Disable encryption at-rest for your ES domain.
  2. Update the access control policy for your ES domain to allow anyone to access the data stored on disk.

Note:

  • This policy is applicable to all ES domains.
  • The default value for this policy is that encryption at-rest is not enabled.
  • The reference for this policy is the following AWS documentation: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html

Section 2:

  • Tags: es, security, encryption, at-rest
  • Keywords: amazon elasticache, kms, encryption at rest