OpenSearch domains should encrypt data sent between nodes

Description

This check determines if node-to-node encryption is activated for OpenSearch domains. Using HTTPS (TLS) can help prevent potential attackers from intercepting or altering network traffic through man-in-the-middle or similar attacks. Only secure connections via HTTPS (TLS) should be permitted. Activating node-to-node encryption for OpenSearch domains ensures that intra-cluster communications are securely encrypted while in transit.

Enabling this feature may come with a performance impact. It’s critical to understand and evaluate the performance implications before enabling this option.

Remediation

To activate node-to-node encryption for an OpenSearch domain, refer to Enabling node-to-node encryption in the Amazon OpenSearch Service Developer Guide.