Description:

Amazon Elasticsearch Service (ES) domains use node-to-node encryption to protect data in transit between nodes in a cluster. If node-to-node encryption is not enabled, data could be intercepted by an unauthorized user.

Rationale:

Enabling node-to-node encryption for ES domains helps to protect your data from unauthorized access. This is important because ES domains can store sensitive data, such as customerPII.

Impact:

Enabling node-to-node encryption for ES domains will prevent unauthorized users from accessing data in transit between nodes in a cluster. This will help to protect your data from unauthorized access.

Default Value:

By default, node-to-node encryption is not enabled for ES domains.

Pre-requisites:

To enable node-to-node encryption for ES domains, you will need to have:

  • A supported version of ES
  • A supported KMS key

Remediation Steps:

To remediate this policy, you can follow these steps:

  1. Enable node-to-node encryption for your ES domain.
  2. Test the encryption configuration to make sure that it is working properly.

Test Plan:

To test the encryption configuration, you can follow these steps:

  1. Try to intercept data in transit between nodes in the cluster.
  2. Verify that the data is encrypted.

Implementation Plan:

To implement this policy, you can follow these steps:

  1. Enable node-to-node encryption for your ES domain.
  2. Update the access control policy for your ES domain to allow only authorized users to access the encrypted data.

AWS CLI Process:

To enable node-to-node encryption for ES domains using the AWS CLI, you can follow these steps:

  1. Install the AWS CLI.
  2. Configure the AWS CLI with your AWS credentials.
  3. Run the following command to enable node-to-node encryption for an ES domain:
aws es enable-node-to-node-encryption --domain-name <domain-name> --kms-key-id <kms-key-id>

Using AWS GUI:

To enable node-to-node encryption for ES domains using the AWS GUI, you can follow these steps:

  1. Go to the Amazon ES console.
  2. Click on the Domains tab.
  3. Select the domain that you want to enable encryption for.
  4. Click on the Settings tab.
  5. Under the Security section, select the Node-to-node encryption option.
  6. Enter the KMS key ID that you want to use for encryption.

Backout Plan:

To back out of this policy, you can follow these steps:

  1. Disable node-to-node encryption for your ES domain.
  2. Update the access control policy for your ES domain to allow anyone to access the data stored on disk.

Note:

  • This policy is applicable to all ES domains.
  • The default value for this policy is that node-to-node encryption is not enabled.
  • The reference for this policy is the following AWS documentation: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html

Section 2:

  • Tags: es, security, encryption, node-to-node
  • Keywords: amazon elasticache, kms, encryption at rest