<  Back to rules search

Elasticsearch domains are encrypted

elasticsearch

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Implement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.

Rationale

Implementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.

Remediation

Console

Follow the Enabling Encryption of Data at Rest docs to learn how to implement encryption for your domain.

CLI

  1. Run describe-elasticsearch-domain with your ES domain to return configuration metadata.

    describe-elasticsearch-domain.sh

        aws es describe-elasticsearch-domain
        --domain-name your-es-domain

  2. Run create-elasticsearch-domain with your domain name and encryption-at-rest-options. Use the metadata returned in the previous step to create and relaunch your ES domain to enable at-rest encryption.

    create-elasticsearch-domain.sh

        aws es create-elasticsearch-domain
        --domain-name your-es-domain
        ...
        --encryption-at-rest-options Enabled=true,KmsKeyId="abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd"