Ensure that node-to-node encryption is enabled for Elasticsearch service

The node-to-node encryption capability provides an additional layer of security by implementing Transport Layer Security (TLS) for all communications between Elasticsearch instances in a cluster. It ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS remains encrypted in-flight while it is being distributed and replicated between the nodes.

Risk Level: High
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.AWS.CRY.46
Covered by Spectral: Yes
Category: Analytics

GSL LOGIC

ElasticSearchDomain should not have nodeToNodeEncryptionOptions.enabled=false

REMEDIATION

From Portal
By default, node-to-node encryption is not enabled for Amazon OpenSearch Service domains, and you can't enable encryption for existing domains. To enable the encryption feature, you must create another domain and migrate your data. Node-to-node encryption requires Elasticsearch 6.0 or later.

  1. Sign in to your AWS Console and select the Amazon OpenSearch Service.
  2. Select Create a new domain.
  3. Under Deployment type, go to 'Version' and select ElasticSearch version from dropdown list.
  4. Under 'Encryption' section, select the checkmark 'Node-to-node encryption'
  5. Continue configure your cluster for other settings and click on Create.

From TF

resource "aws_elasticsearch_domain" "test" {
	domain_name           = "example"
	elasticsearch_version = "1.5"
	
	+ node_to_node_encryption {
		+   enabled = true
	+ }
	
	tags = {
		Domain = "TestDomain"
	}
}

From Command Line

aws es create-elasticsearch-domain --region REGION_NAME --domain-name NEW_DOMAIN_NAME --elasticsearch-version VERSION_VALUE --elasticsearch-cluster-config InstanceType=EXAMPLE_INSTANCE_TYPE,InstanceCount=VALUE --ebs-options EBSEnabled=TRUE/FALSE,VolumeType=VALUE,VolumeSize=VALUE --access-policies file://domain_policy.json --vpc-options SubnetIds=SUBNET_ID,SecurityGroupIds=SG_ID --encryption-at-rest-options Enabled=TRUE,KmsKeyId=KMS_KEY --node-to-node-encryption-options Enabled=true

References

  1. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomains
  2. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
  3. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html
  6. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#snapshot-based-migration
  7. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset