Ensure that node-to-node encryption feature is enabled for your AWS ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to cluster encryption and data-at-rest encryption, and meet strict compliance requirements. The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes.
As a security best practice, it is always recommended to use encryption to promote data security and fulfill any compliance requirements related to data protection available within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure. Note: Node-to-node encryption is supported only by domains with ElasticSearch version 6.0 or later.
To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:
To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration. To relaunch the required ES domains, perform the following actions: