Ensure that node-to-node encryption is enabled for Elasticsearch service
The node-to-node encryption capability provides an additional layer of security by implementing Transport Layer Security (TLS) for all communications between Elasticsearch instances in a cluster. It ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS remains encrypted in-flight while it is being distributed and replicated between the nodes.
Risk Level: High
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.CFT.CRY.07
Covered by Spectral: Yes
Category: Analytics
GSL LOGIC
AWS_Elasticsearch_Domain should have NodeToNodeEncryptionOptions.Enabled=true
REMEDIATION
From CFT
Set AWS::Elasticsearch::Domain NodeToNodeEncryptionOptions
property to be true
References
Amazon ElasticSearch service
Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago