ElasticSearch Node To Node Encryption

Risk level: High (not acceptable risk)

Rule ID: ES-015

Ensure that node-to-node encryption feature is enabled for your AWS ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to cluster encryption and data-at-rest encryption, and meet strict compliance requirements. The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

As a security best practice, it is always recommended to use encryption to promote data security and fulfill any compliance requirements related to data protection available within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure.

Note: Node-to-node encryption is supported only by domains with ElasticSearch version 6.0 or later.

Audit

To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElasticSearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Choose the ES cluster that you want to examine and click on the domain name (link) to access its configuration page.

04 On the domain configuration page, select the Overview tab and check the Node-to-node encryption attribute value. If the attribute value is set to Disabled, the node-to-node encryption feature is not enabled for the selected Amazon ElasticSearch domain, therefore the communication between the cluster nodes is not encrypted.

05 Repeat step no. 3 and 4 to check the feature status for other AWS ElasticSearch domains available in the current region.

06 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all Amazon ElasticSearch domains currently available in the selected region:

aws es list-domain-names
	--region us-east-1
	--output table
	--query 'DomainNames'

02 The command output should return the ES domain names available:

----------------------------
|      ListDomainNames     |
+--------------------------+
|  cc-project5-es-cluster  |
|  cc-prod-app-es-cluster  |
+--------------------------+

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the ElasticSearch domain that you want to examine as identifier and custom query filters to determine if node-to-node encryption is enabled for the selected resource:

aws es describe-elasticsearch-domain
	--region us-east-1
	--domain-name cc-project5-es-cluster
	--query 'DomainStatus.NodeToNodeEncryptionOptions.Enabled'

04 The command output should return the requested ES feature status:

false

If the describe-elasticsearch-domain command output is false, as shown in the example above, the node-to-node encryption feature is not enabled for the selected Amazon ElasticSearch domain.

05 Repeat step no. 3 and 4 to check node-to-node encryption status for other AWS ES domains provisioned in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration. To relaunch the required ES domains, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to ElasticSearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Choose the ES domain that you want to re-create (see Audit section part I to identify the right resource), then click on the domain name (link) to access its configuration page.

04 On the selected domain configuration page, perform the following actions:

Select the Overview tab and copy the domain configuration information such as Instance count, Instance type, Dedicated master instance type, Dedicated master instance count, Storage Type, EBS volume type, EBS volume size and so on.
Select the VPC tab and copy the network configuration information such as VPC ID, Security groups ID(s), IAM role name and AZs and Subnets IDs.
Click on Modify access policy button from the dashboard top menu and copy the policy document available in the Add or edit the access policy textbox.

05 Go back to the AWS ElasticSearch service dashboard and click Create new domain to launch a new ES domain.

06 On Define domain page, perform the following:

Provide a unique name for the new ES domain in the Elasticsearch domain name box.
Select the appropriate version of the Elasticsearch engine from the Elasticsearch version dropdown list. Note that node-to-node encryption can be enabled only for domains with ElasticSearch version 6.0 and above.
Click Next to continue the domain setup process.

07 On Configure cluster page, set the new domain parameters using the configuration details copied at step no. 4, a. from the source ES domain, then click Next to continue.

08 On Set up access page, perform the following:

Configure the network access for the new ES domain by using the same parameters copied at step no. 4 b.
Select Node-to-node encryption checkbox to enable the node-to-node encryption feature for the new domain (cluster).
Paste the access policy copied at step no. 4 c. into the Add or edit the access policy textbox to use the same access policy as the source domain.
Click the Next button to continue the domain setup.

09 On Review page, verify the domain configuration details then click Confirm to launch your new AWS ElasticSearch cluster with node-to-node encryption enabled.

10 Once the new AWS ES domain is created, upload the data from the source AWS ES domain to the new (destination) domain.

11 Now you can remove the source ElasticSearch domain in order to avoid further charges for this AWS resource. To delete the required domain, perform the following actions:

Click on the name of the domain that you want to remove (see Audit section part I to identify the right ElasticSearch resource).
On the selected domain description page, click Delete domain to start the removal process.
Inside the Delete domain dialog box, check Delete the domain <domain_name> then click the Delete button to confirm the action.

12 Repeat steps no. 3 - 11 to enable node-to-node encryption for other AWS ElasticSearch domains, available in the selected region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-elasticsearch-domain Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon ES domain that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected domain: command (OSX/Linux/UNIX) using the name of the Amazon ES domain that you want to relaunch (see Audit section part II to identify the right resource) to describe the configuration information for the selected domain:

aws es describe-elasticsearch-domain
	--region us-east-1
	--domain-name cc-project5-es-cluster

02 The command output should return the configuration details for the selected ES domain:

{
    "DomainStatus": {
        "ElasticsearchClusterConfig": {
            "DedicatedMasterEnabled": false,
            "InstanceCount": 4,
            "ZoneAwarenessEnabled": false,
            "InstanceType": "m4.large.elasticsearch"
        },
        "DomainId": "123456789012/cc-project5-es-cluster",
        "UpgradeProcessing": false,
        "NodeToNodeEncryptionOptions": {
            "Enabled": false
        },

        ...

        "VPCOptions": {
            "SubnetIds": [
                "subnet-abcd1234"
            ],
            "VPCId": "vpc-aabbccdd",
            "SecurityGroupIds": [
                "sg-012345678abcdabcd"
            ],
            "AvailabilityZones": [
                "us-east-1a"
            ]
        },
        "DomainName": "cc-project5-es-cluster",
        "ElasticsearchVersion": "6.3",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/cc-project5-es-cluster"
    }
}

03 Run create-elasticsearch-domain command (OSX/Linux/UNIX) using the configuration metadata returned at the previous step to relaunch the selected AWS ElasticSearch domain and enable node-to-node encryption feature using --node-to-node-encryption-options command parameter:

aws es create-elasticsearch-domain
	--region us-east-1
	--domain-name cc-project5-fully-encrypted-cluster
	--elasticsearch-version 6.3
	--elasticsearch-cluster-config InstanceType=m4.large.elasticsearch,InstanceCount=4
	--ebs-options EBSEnabled=true,VolumeType=standard,VolumeSize=50
	--access-policies file://source-es-domain-access-policy.json
	--vpc-options SubnetIds=subnet-abcd1234,SecurityGroupIds=sg-012345678abcdabcd
	--encryption-at-rest-options Enabled=true,KmsKeyId="abcd1234-aaaa-bbbb-cccc-aabbccdd1234"
	--node-to-node-encryption-options Enabled=true

04 The command output should return the metadata for the new AWS ElasticSearch domain:

{
    "DomainStatus": {
        "DomainId": "123456789012/cc-project5-fully-encrypted-cluster",
        "Processing": true,
        "NodeToNodeEncryptionOptions": {
            "Enabled": true
        },

        ...

        "DomainName": "cc-project5-fully-encrypted-cluster",
        "ElasticsearchVersion": "6.3",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/cc-project5-fully-encrypted-cluster"
    }
}

05 Now that the new domain is created, upload the existing data (exported from the source ES cluster) to the newly created cluster.

06 Once the data is successfully uploaded, it is safe to remove the source ElasticSearch domain in order to stop incurring AWS charges. To remove the required domain from your AWS account, run delete-elasticsearch-domain command (OSX/Linux/UNIX):

aws es delete-elasticsearch-domain
	--region us-east-1
	--domain-name cc-project5-es-cluster

07 The command output should return the source AWS ElasticSearch domain metadata:

{
    "DomainStatus": {
        "DomainId": "123456789012/cc-project5-es-cluster",
        "UpgradeProcessing": false,
        "NodeToNodeEncryptionOptions": {
            "Enabled": false
        },

        ...

        "DomainName": "cc-project5-es-cluster",
        "ElasticsearchVersion": "6.3",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/cc-project5-es-cluster"
    }
}

08 Repeat steps no. 1 – 7 to enable node-to-node encryption for other Amazon ES domains, available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the remediation/resolution process for other regions.

References

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
create-elasticsearch-domain
delete-elasticsearch-domain

Publication date Oct 15, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

ElasticSearch Node To Node Encryption

Risk level: High

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Elasticsearch rules