Profile Applicability:

  • Level 1

Description:

Amazon OpenSearch Service (formerly Amazon Elasticsearch Service) provides a fully managed service to run OpenSearch clusters in the AWS cloud. Node-to-node encryption ensures that data transferred between nodes in an OpenSearch cluster is encrypted, providing confidentiality for internal communications within the cluster. Enabling node-to-node encryption ensures that data remains protected while in transit between nodes, especially in multi-AZ or multi-node configurations.

Rationale:

Node-to-node encryption is critical for securing data as it moves between nodes in the OpenSearch cluster. Without node-to-node encryption, the data transferred between nodes could be exposed to interception or tampering, compromising the confidentiality and integrity of your data. By enabling node-to-node encryption, AWS ensures that the internal communication between nodes remains secure.

Impact:

If node-to-node encryption is not enabled:

  • Data transferred between nodes may be exposed to unauthorized access.

  • Internal communication may be intercepted or modified, leading to potential security breaches.

  • The environment may not meet regulatory or organizational security standards that require encryption in transit.

  • The organization may be at higher risk of security vulnerabilities.

Default Value:

By default, Amazon OpenSearch Service enables node-to-node encryption for new domains. However, for existing domains, it needs to be explicitly enabled during domain creation or through configuration changes. If not configured correctly, node-to-node encryption may be disabled.

Pre-requisites:

  • Access to the AWS Management Console or AWS CLI with the necessary IAM permissions.

  • An existing Amazon OpenSearch domain.

  • Basic understanding of node-to-node encryption and encryption in transit.

Test Plan:

Using AWS Console:

  1. Open the Amazon OpenSearch Service console.

       

  1. Navigate to Domains.

           

  1. Select the domain you wish to check.

   

  1. In the Domain details section, scroll down to Encryption in transit.

  2. Look for the Node-to-node encryption setting:

    • If node-to-node encryption is enabled, it will display as Enabled.

    • If node-to-node encryption is disabled, it will display as Disabled.

     

Using AWS CLI:

Use the following command to list all OpenSearch domains:

aws opensearch list-domain-names

For each domain, describe its configuration:

aws opensearch describe-domain --domain-name <domain-name>

  1. In the output, look for the NodeToNodeEncryptionOptions section:

    • If "Enabled": true, node-to-node encryption is enabled.

    • If "Enabled": false or the section is missing, node-to-node encryption is not enabled.

Implementation Plan:

Using AWS Console:

  1. In the Amazon OpenSearch Service console.

   

  1.  select the domain for which you want to enable node-to-node encryption.

   

  1. In the Domain details section, click Edit under Encryption in transit.

  2. Enable Node-to-node encryption by checking the appropriate option.

   

  1. Save the changes to apply the configuration.

  2. Verify that node-to-node encryption is now enabled by reviewing the domain details.

Using AWS CLI:

Run the aws opensearch describe-domain command to check if node-to-node encryption is enabled.

aws opensearch describe-domain --domain-name <domain-name>

If node-to-node encryption is not enabled, run the following command to enable it:

aws opensearch update-domain-config --domain-name <domain-name> --node-to-node-encryption-options "Enabled=true"

  1. Verify that node-to-node encryption is enabled by describing the domain again.

Backout Plan:

If enabling node-to-node encryption causes issues (e.g., performance degradation or connectivity issues):

  1. Identify the affected domain and review the node-to-node encryption configuration.

Revert the changes by disabling node-to-node encryption:

aws opensearch update-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=false

  1. Monitor the domain to ensure it is functioning correctly and that access is restored.

Note:

  • Encryption Key Management: If using AWS KMS for node-to-node encryption, ensure that the encryption key is properly managed and rotated to maintain security best practices.

  • Performance Impact: While node-to-node encryption is designed to be efficient, monitor the cluster’s performance after enabling it to ensure it meets your performance requirements, particularly for large clusters with high data throughput.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.