Elasticsearch domains should encrypt data transmitted between nodes

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

This control verifies if node-to-node encryption is enabled for an Elasticsearch domain. The control will not pass if the Elasticsearch domain lacks node-to-node encryption. Additionally, it will generate failed findings if the Elasticsearch version does not support node-to-node encryption checks.

Using HTTPS (TLS) is recommended to prevent attackers from intercepting or altering network traffic through person-in-the-middle or similar attacks. Only encrypted connections via HTTPS (TLS) should be permitted. Enabling node-to-node encryption for Elasticsearch domains ensures that communication within the cluster is encrypted during transit.

There may be performance costs associated with this configuration. It is advisable to be aware of and evaluate the performance trade-offs before enabling this feature.

Remediation

For details on how to enable node-to-node encryption for both new and existing domains, refer to the section Enabling node-to-node encryption in the Amazon OpenSearch Service Developer Guide.