Detections
Analytics

Ensure encryption at-rest is enabled for AWS ElasticSearch Domains

HIGH

Description

AWS ElasticSearch Domains are not encrypted at-rest and may expose sensitive customer data.

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the Elasticsearch (ES) dashboard.
  2. Click on the ES domain.
  3. Open the domain configuration page.
  4. Check if Encryption at rest is enabled.

In Terraform -

  1. In the aws_elasticsearch_domain resource, set the encrypt_at_rest.enabled field to true.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/encryption-at-rest.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#encrypt_at_rest

Policy Details

Rule Reference ID: AC_AWS_0112
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_elasticsearch_domain
Resource Category: Analytics
Resource Type: ElasticSearch Service

Frameworks