Elasticsearch domain not encrypted node to node

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Elasticsearch domain not encrypted node to node

Metadata

Id: 967eb3e6-26fc-497d-8895-6428beb6e8e2

Cloud Provider: aws

Framework: Terraform

Severity: Medium

Category: Encryption

Learn More

Provider Reference

Description

Enabling node-to-node encryption for an Elasticsearch domain ensures that data transferred between nodes in the Elasticsearch cluster is securely encrypted, preventing unauthorized access to data in transit. If the node_to_node_encryption block is omitted, sensitive data could be intercepted by attackers during communication between cluster nodes. To secure the domain, configure:

node_to_node_encryption {
  enabled = true
}

This ensures that all internal communications within the cluster is encrypted, reducing the risk of data exposure.

Compliant Code Examples

resource "aws_elasticsearch_domain" "negative1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  cluster_config {
    instance_type = "r4.large.elasticsearch"
  }

  snapshot_options {
    automated_snapshot_start_hour = 23
  }

  node_to_node_encryption {
    enabled = true
  }

  tags = {
    Domain = "TestDomain"
  }
}

Non-Compliant Code Examples

resource "aws_elasticsearch_domain" "positive1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  cluster_config {
    instance_type = "r4.large.elasticsearch"
  }

  snapshot_options {
    automated_snapshot_start_hour = 23
  }

  node_to_node_encryption {
    enabled = false
  }

  tags = {
    Domain = "TestDomain"
  }
}

resource "aws_elasticsearch_domain" "positive1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  cluster_config {
    instance_type = "r4.large.elasticsearch"
  }

  snapshot_options {
    automated_snapshot_start_hour = 23
  }

  tags = {
    Domain = "TestDomain"
  }
}