OpenSearch domains should have encryption at rest enabled

opensearch

Description

This check ensures an OpenSearch domain has encryption-at-rest enabled. To enhance security for sensitive information, it’s important to configure your OpenSearch Service domain for encryption at rest. With this setup, AWS Key Management Service (KMS) stores and manages your encryption keys, utilizing the Advanced Encryption Standard 256-bit algorithm (AES-256) for encryption. For additional details, refer to the section on data encryption at rest for Amazon OpenSearch Service in the Amazon OpenSearch Service Developer Guide.

Remediation

For a guide on enabling encryption at rest for both new and existing OpenSearch domains, please refer to the Enabling encryption of data at rest section in the Amazon OpenSearch Service Developer Guide.