Profile Applicability:

  • Level 1

Description:

Amazon Elasticsearch Service (Amazon OpenSearch Service) provides managed clusters to run Elasticsearch and OpenSearch, offering powerful search and analytics capabilities. Encryption at-rest ensures that data stored in your Elasticsearch/OpenSearch domains is encrypted when it is not actively in use. AWS provides encryption at-rest by using AWS Key Management Service (KMS), which helps protect your data from unauthorized access. This SOP outlines the process to verify if encryption at-rest is enabled for your Elasticsearch/OpenSearch domains.

Rationale:

Encryption at-rest protects sensitive data stored in your Elasticsearch/OpenSearch domains from unauthorized access and potential data breaches. By enabling encryption at-rest, you ensure compliance with security best practices and regulatory requirements, such as GDPR, HIPAA, or SOC 2. It is essential to verify that encryption is enabled to mitigate the risk of data theft or misuse.

Impact:

If encryption at-rest is not enabled:

  • Data stored in Elasticsearch/OpenSearch could be exposed to unauthorized access.

  • The cluster may not meet security and compliance standards for encryption.

  • Non-compliance with industry regulations (e.g., GDPR, HIPAA, SOC 2) could result in security vulnerabilities and legal issues.

Default Value:

By default, new Amazon Elasticsearch/OpenSearch domains use encryption at-rest with the default AWS-managed key (if no custom KMS key is specified). However, encryption must be explicitly enabled for existing domains that require it.

Pre-requisites:

  • Access to the AWS Management Console or AWS CLI with sufficient IAM permissions.

  • Existing Amazon Elasticsearch/OpenSearch domains.

  • Understanding of how KMS and encryption at-rest work with Amazon OpenSearch Service.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Management Console 

  2. Navigate to Amazon OpenSearch Service.

   

  1. In the Domains section, select the domain you wish to check.

   

  1. Under the Domain details page, look for the Encryption at rest section.

  2. If Encryption at rest is marked as "No", you need to enable it manually.

Using AWS CLI:

List all the domains in Amazon OpenSearch Service:

aws opensearch list-domain-names

For each domain, describe the domain configuration to check the encryption status:

aws opensearch describe-domain --domain-name <domain-name>

  1. In the output, look for the "Encryption At Rest Options" section:

    • If "Enabled": true, encryption at-rest is enabled.

    • If "Enabled": false or the section is missing, encryption at-rest is not enabled.

Implementation Plan:

Using AWS Console:

  1. Open the Amazon OpenSearch Service console 

   

  1. select the domain.

         

  1. In the Encryption at rest section, click Edit.

 

  1. Check the "Enable encryption of data at rest" box to enable it.

       

  1. Select the KMS key to be used for encryption (either the default AWS-managed key or a custom KMS key).

         

  1. Save the changes. The domain will be updated to enable encryption at-rest.

  1. Confirm that the encryption status is displayed as Enabled.

Using AWS CLI:

Run the aws opensearch describe-domain command to check the current encryption status.

aws opensearch describe-domain --domain-name <domain-name>

To Enable encryption at rest use the following command:

aws opensearch update-domain-config --domain-name <domain-name> --encryption-at-rest-options "Enabled=true,KmsKeyId=<KMS-Key-Id>"

Confirm that the domain now has encryption at-rest enabled by describing the domain again.

Backout Plan:

Using AWS Console:

  1. Open the Amazon OpenSearch Service console 
  1. Select the domain.
  1. In the Encryption at rest section, click Edit.
  1. Uncheck the "Enable encryption of data at rest" box to disable it.
  1. Save the changes.

Using AWS CLI:

If enabling encryption at rest causes issues (e.g., performance degradation, access issues):

  1. Identify the affected domain and review the encryption configuration.

Revert the changes by disabling encryption:

aws opensearch update-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=false

  1. Monitor the domain to ensure it is operating correctly and that access to the data is restored.

References:


CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.