Ensure that your Amazon ElasticSearch (ES) domains are encrypted in order to meet security and compliance requirements. Encryption of data at rest helps prevent unauthorized users from reading sensitive information available on your ES domains (clusters) and their storage systems. This includes all data stored on the underlying file systems, primary and replica indices, log files, memory swap files and automated snapshots saved to S3. Amazon ElasticSearch handles the encryption/decryption process seamlessly, so you don’t have to modify your applications to access your data. The ElasticSearch at-rest encryption feature uses AWS KMS service to store and manage the encryption keys.
When working with production data that contains sensitive information, it is highly recommended to implement encryption at rest in order to protect it from unauthorized access and fulfill any compliance requirements available within your organization. Note: At-rest encryption can be enabled only for AWS ES domains with ElasticSearch version 5.1 and above.
To determine if data-at-rest encryption is enabled for your AWS ES domains, perform the following:
To enable at-rest encryption for your existing AWS ElasticSearch domains, you must re-create them with the necessary encryption configuration. To relaunch the required ES domains, perform the following: