Elasticsearch encryption with KMS disabled

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2

Cloud Provider: AWS

Platform: Terraform

Severity: High

Category: Encryption

Learn More

Description

Elasticsearch domains should use AWS Key Management Service (KMS) for encryption at rest to provide enhanced security. While enabling basic encryption at rest is important, not specifying a KMS key ID means Elasticsearch will use default AWS-managed keys rather than customer-managed keys, reducing your control over the encryption process. Without KMS encryption, sensitive data stored in Elasticsearch could be at risk if unauthorized access to the storage media occurs.

To properly implement KMS encryption, ensure the encrypt_at_rest block includes both enabled = true and a specific kms_key_id, as shown below:

encrypt_at_rest {
    enabled = true
    kms_key_id = "your-kms-key-id"
}

Compliant Code Examples

resource "aws_elasticsearch_domain" "negative1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  encrypt_at_rest {
      enabled = true
      kms_key_id = "some-key-id"
  }
}

Non-Compliant Code Examples

resource "aws_elasticsearch_domain" "positive1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  encrypt_at_rest {
      enabled = true
  }
}