Ensure that your Amazon ElasticSearch (ES) domains are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys (default keys used by the ES service when there are no customer keys defined) in order to have more granular control over the data-at-rest encryption/decryption process and to meet compliance requirements.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When you use your own KMS Customer Master Keys to protect your ElasticSearch domains (clusters) and their storage systems, you have full control over who can use these keys to access the clusters data. The AWS KMS service allows you to easily create, rotate, disable and audit CMK encryption keys for your ES domains.
Note: At-rest encryption using KMS CMKs can be enabled only for AWS ES domains with ElasticSearch version 5.1 and above.
To determine the encryption status and configuration for your AWS ElasticSearch domains, perform the following actions:
To encrypt an existing AWS ElasticSearch domain with your own KMS Customer Master Key, you must re-create the domain with the necessary encryption configuration. To create the necessary KMS CMK and set up the new ES domain, enable custom encryption and copy your existing data to it, perform the following actions: