Description:
Amazon Elasticsearch Service (ES) domains use node-to-node encryption to protect data in transit between nodes in a cluster. If node-to-node encryption is not enabled, data could be intercepted by an unauthorized user.
Rationale:
Enabling node-to-node encryption for ES domains helps to protect your data from unauthorized access. This is important because ES domains can store sensitive data, such as customerPII.
Impact:
Enabling node-to-node encryption for ES domains will prevent unauthorized users from accessing data in transit between nodes in a cluster. This will help to protect your data from unauthorized access.
Default Value:
By default, node-to-node encryption is not enabled for ES domains.
Pre-requisites:
To enable node-to-node encryption for ES domains, you will need to have:
- A supported version of ES
- A supported KMS key
Remediation Steps:
To remediate this policy, you can follow these steps:
- Enable node-to-node encryption for your ES domain.
- Test the encryption configuration to make sure that it is working properly.
Test Plan:
To test the encryption configuration, you can follow these steps:
- Try to intercept data in transit between nodes in the cluster.
- Verify that the data is encrypted.
Implementation Plan:
To implement this policy, you can follow these steps:
- Enable node-to-node encryption for your ES domain.
- Update the access control policy for your ES domain to allow only authorized users to access the encrypted data.
AWS CLI Process:
To enable node-to-node encryption for ES domains using the AWS CLI, you can follow these steps:
- Install the AWS CLI.
- Configure the AWS CLI with your AWS credentials.
- Run the following command to enable node-to-node encryption for an ES domain:
aws es enable-node-to-node-encryption --domain-name <domain-name> --kms-key-id <kms-key-id>
Using AWS GUI:
To enable node-to-node encryption for ES domains using the AWS GUI, you can follow these steps:
- Go to the Amazon ES console.
- Click on the Domains tab.
- Select the domain that you want to enable encryption for.
- Click on the Settings tab.
- Under the Security section, select the Node-to-node encryption option.
- Enter the KMS key ID that you want to use for encryption.
Backout Plan:
To back out of this policy, you can follow these steps:
- Disable node-to-node encryption for your ES domain.
- Update the access control policy for your ES domain to allow anyone to access the data stored on disk.
Note:
- This policy is applicable to all ES domains.
- The default value for this policy is that node-to-node encryption is not enabled.
- The reference for this policy is the following AWS documentation: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
Section 2:
- Tags: es, security, encryption, node-to-node
- Keywords: amazon elasticache, kms, encryption at rest