Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that node-to-node encryption feature is enabled for your AWS ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to cluster encryption and data-at-rest encryption, and meet strict compliance requirements. The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
As a security best practice, it is always recommended to use encryption to promote data security and fulfill any compliance requirements related to data protection available within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure.
Note: Node-to-node encryption is supported only by domains with ElasticSearch version 6.0 or later.
To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to ElasticSearch (ES) dashboard at https://console.aws.amazon.com/es/.
03 Choose the ES cluster that you want to examine and click on the domain name (link) to access its configuration page.
04 On the domain configuration page, select the Overview tab and check the Node-to-node encryption attribute value. If the attribute value is set to Disabled, the node-to-node encryption feature is not enabled for the selected Amazon ElasticSearch domain, therefore the communication between the cluster nodes is not encrypted.
05 Repeat step no. 3 and 4 to check the feature status for other AWS ElasticSearch domains available in the current region.
06 Change the AWS region from the navigation bar and repeat the process for the other regions.
01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all Amazon ElasticSearch domains currently available in the selected region:
aws es list-domain-names --region us-east-1 --output table --query 'DomainNames'
02 The command output should return the ES domain names available:
---------------------------- | ListDomainNames | +--------------------------+ | cc-project5-es-cluster | | cc-prod-app-es-cluster | +--------------------------+
03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the ElasticSearch domain that you want to examine as identifier and custom query filters to determine if node-to-node encryption is enabled for the selected resource:
aws es describe-elasticsearch-domain --region us-east-1 --domain-name cc-project5-es-cluster --query 'DomainStatus.NodeToNodeEncryptionOptions.Enabled'
04 The command output should return the requested ES feature status:
false
05 Repeat step no. 3 and 4 to check node-to-node encryption status for other AWS ES domains provisioned in the current region.
06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.
To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration. To relaunch the required ES domains, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to ElasticSearch (ES) dashboard at https://console.aws.amazon.com/es/.
03 Choose the ES domain that you want to re-create (see Audit section part I to identify the right resource), then click on the domain name (link) to access its configuration page.
04 On the selected domain configuration page, perform the following actions:
05 Go back to the AWS ElasticSearch service dashboard and click Create new domain to launch a new ES domain.
06 On Define domain page, perform the following:
07 On Configure cluster page, set the new domain parameters using the configuration details copied at step no. 4, a. from the source ES domain, then click Next to continue.
08 On Set up access page, perform the following:
09 On Review page, verify the domain configuration details then click Confirm to launch your new AWS ElasticSearch cluster with node-to-node encryption enabled.
10 Once the new AWS ES domain is created, upload the data from the source AWS ES domain to the new (destination) domain.
11 Now you can remove the source ElasticSearch domain in order to avoid further charges for this AWS resource. To delete the required domain, perform the following actions:
12 Repeat steps no. 3 - 11 to enable node-to-node encryption for other AWS ElasticSearch domains, available in the selected region.
13 Change the AWS region from the navigation bar and repeat the entire process for other regions.
01 Run describe-elasticsearch-domain Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon ES domain that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected domain: command (OSX/Linux/UNIX) using the name of the Amazon ES domain that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected domain:
aws es describe-elasticsearch-domain --region us-east-1 --domain-name cc-project5-es-cluster
02 The command output should return the configuration details for the selected ES domain:
|
{
"DomainStatus": {
"ElasticsearchClusterConfig": {
"DedicatedMasterEnabled": false,
"InstanceCount": 4,
"ZoneAwarenessEnabled": false,
"InstanceType": "m4.large.elasticsearch"
},
"DomainId": "123456789012/cc-project5-es-cluster",
"UpgradeProcessing": false,
"NodeToNodeEncryptionOptions": {
"Enabled": false
},
...
"VPCOptions": {
"SubnetIds": [
"subnet-abcd1234"
],
"VPCId": "vpc-aabbccdd",
"SecurityGroupIds": [
"sg-012345678abcdabcd"
],
"AvailabilityZones": [
"us-east-1a"
]
},
"DomainName": "cc-project5-es-cluster",
"ElasticsearchVersion": "6.3",
"ARN": "arn:aws:es:us-east-1:123456789012:domain/cc-project5-es-cluster"
}
}
03 Run create-elasticsearch-domain command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the selected AWS ElasticSearch domain and enable node-to-node encryption feature using --node-to-node-encryption-options command parameter:
aws es create-elasticsearch-domain --region us-east-1 --domain-name cc-project5-fully-encrypted-cluster --elasticsearch-version 6.3 --elasticsearch-cluster-config InstanceType=m4.large.elasticsearch,InstanceCount=4 --ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=50 --access-policies file://source-es-domain-access-policy.json --vpc-options SubnetIds=subnet-abcd1234,SecurityGroupIds=sg-012345678abcdabcd --encryption-at-rest-options Enabled=true,KmsKeyId="abcd1234-aaaa-bbbb-cccc-aabbccdd1234" --node-to-node-encryption-options Enabled=true
04 The command output should return the metadata for the new AWS ElasticSearch domain:
{
"DomainStatus": {
"DomainId": "123456789012/cc-project5-fully-encrypted-cluster",
"Processing": true,
"NodeToNodeEncryptionOptions": {
"Enabled": true
},
...
"DomainName": "cc-project5-fully-encrypted-cluster",
"ElasticsearchVersion": "6.3",
"ARN": "arn:aws:es:us-east-1:123456789012:domain/cc-project5-fully-encrypted-cluster"
}
}
05 Now that the new domain is created, upload the existing data (exported from the source ES cluster) to the newly created cluster.
06 Once the data is successfully uploaded, it is safe to remove the source ElasticSearch domain in order to stop incurring AWS charges. To remove the required domain from your AWS account, run delete-elasticsearch-domain command (OSX/Linux/UNIX):
aws es delete-elasticsearch-domain --region us-east-1 --domain-name cc-project5-es-cluster
07 The command output should return the source AWS ElasticSearch domain metadata:
{
"DomainStatus": {
"DomainId": "123456789012/cc-project5-es-cluster",
"UpgradeProcessing": false,
"NodeToNodeEncryptionOptions": {
"Enabled": false
},
...
"DomainName": "cc-project5-es-cluster",
"ElasticsearchVersion": "6.3",
"ARN": "arn:aws:es:us-east-1:123456789012:domain/cc-project5-es-cluster"
}
}
08 Repeat steps no. 1 – 7 to enable node-to-node encryption for other Amazon ES domains, available in the current region.
09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s ChatUnlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over 600 rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
ElasticSearch Node To Node Encryption
Risk level: High