Ensure node-to-node encryption is enabled for AWS ElasticSearch Domains

MEDIUM

Description

AWS ElasticSearch Domains have node-to-node encryption disabled which may expose sensitive customer data.

Remediation

In AWS Console -

Sign in to the AWS Console and open the OpenSearch Console.
Under Managed clusters in the navigation bar, select Domains.
Choose the domain to edit, and under the Actions drop-down, select Edit security configuration.
Under Encryption, check the box for Node-to-node encryption.
Select Save changes.

In Terraform -

In the aws_elasticsearch_domain resource, set the node_to_node_encryption block to have the enabled field set to true.

References:
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ntn.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#node_to_node_encryption

Policy Details

Rule Reference ID: AC_AWS_0114

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_elasticsearch_domain

Resource Category: Analytics

Resource Type: ElasticSearch Service

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0