Ensure that node-to-node encryption feature is enabled for your AWS ElasticSearch domains (clusters) in order to add an extra layer of data protection on top of the existing ES security features such as HTTPS client to cluster encryption and data-at-rest encryption, and meet strict compliance requirements. The ElasticSearch node-to-node encryption capability provides the additional layer of security by implementing Transport Layer Security (TLS) for all communications between the nodes provisioned within the cluster. The feature ensures that any data sent to your AWS ElasticSearch domain over HTTPS remains encrypted in transit while it is being distributed and replicated between the nodes.
This rule can help you with the following compliance standards:
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- APRA
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
As a security best practice, it is always recommended to use encryption to promote data security and fulfill any compliance requirements related to data protection available within your organization. Node-to-node encryption prevents potential attackers from intercepting traffic between ElasticSearch cluster nodes and keeps the ES domain's data secure.
Note: Node-to-node encryption is supported only by domains with ElasticSearch version 6.0 or later.
Audit
To determine if the communication between ElasticSearch cluster nodes is encrypted, perform the following actions:
Remediation / Resolution
To enable node-to-node encryption for your existing Amazon ElasticSearch domains, you need to re-create them with the necessary configuration. To relaunch the required ES domains, perform the following actions:
References
- AWS Documentation
- Amazon Elasticsearch Service FAQs
- Node-to-node Encryption for Amazon Elasticsearch Service
- Creating and Configuring Amazon Elasticsearch Service Domains
- Step 2: Upload Data to an Amazon ES Domain for Indexing
- Step 4: Delete an Amazon ES Domain
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain
- create-elasticsearch-domain
- delete-elasticsearch-domain
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
ElasticSearch Node To Node Encryption
Risk level: High