Description:
Amazon Elasticsearch Service (ES) domains store data on disk. If this data is not encrypted, it could be accessed by unauthorized users if the disk is compromised. Enabling encryption at-rest helps to protect this data by encrypting it before it is stored on disk.
Rationale:
Enabling encryption at-rest for ES domains helps to protect your data from unauthorized access. This is important because ES domains can store sensitive data, such as customerPII.
Impact:
Enabling encryption at-rest for ES domains will prevent unauthorized users from accessing the data stored on disk. This will help to protect your data from unauthorized access.
Default Value:
By default, ES domains do not have encryption at-rest enabled.
Pre-requisites:
To enable encryption at-rest for ES domains, you will need to have:
- An AWS KMS key
Remediation Steps:
To remediate this policy, you can follow these steps:
- Enable encryption at-rest for your ES domain.
- Test the encryption configuration to make sure that it is working properly.
Test Plan:
To test the encryption configuration, you can follow these steps:
- Try to access the data stored on disk without decrypting it.
- Try to access the data stored on disk after decrypting it.
Implementation Plan:
To implement this policy, you can follow these steps:
- Enable encryption at-rest for your ES domain.
- Update the access control policy for your ES domain to allow only authorized users to access the encrypted data.
AWS CLI Process:
To enable encryption at-rest for ES domains using the AWS CLI, you can follow these steps:
- Install the AWS CLI.
- Configure the AWS CLI with your AWS credentials.
- Run the following command to enable encryption at-rest for an ES domain:
aws es enable-encryption-at-rest --domain-name <domain-name> --kms-key-id <kms-key-id>
Using AWS GUI:
To enable encryption at-rest for ES domains using the AWS GUI, you can follow these steps:
- Go to the Amazon ES console.
- Click on the Domains tab.
- Select the domain that you want to enable encryption for.
- Click on the Settings tab.
- Under the Security section, select the Encryption at rest option.
- Enter the KMS key ID that you want to use for encryption.
Backout Plan:
To back out of this policy, you can follow these steps:
- Disable encryption at-rest for your ES domain.
- Update the access control policy for your ES domain to allow anyone to access the data stored on disk.
Note:
- This policy is applicable to all ES domains.
- The default value for this policy is that encryption at-rest is not enabled.
- The reference for this policy is the following AWS documentation: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
Section 2:
- Tags: es, security, encryption, at-rest
- Keywords: amazon elasticache, kms, encryption at rest