Ensure all Elasticsearch has node-to-node encryption enabled

ID

elasticsearch_node_to_node_encryption_disabled

Severity

high

Vendor

AWS

Resource

Elasticsearch

Tags

reachable

Description

AWS Elasticsearch Service makes it possible to host sensitive workloads with node-to-node encryption by using Transport Layer Security (TLS) for all communications between instances in a cluster.

Using node-to-node encryption ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS, remains encrypted in-flight while it is being distributed and replicated between the nodes.

Examples

CloudFormation

{
  "Resources": {
    "MyElasticsearchDomain": { (1)
      "Type": "AWS::Elasticsearch::Domain"
    }
  }
}
1 Missing NodeToNodeEncryptionOptions block means node to node encryption is NOT enabled. 
Resources:
  MyElasticsearchDomain: (1)
    Type: AWS::Elasticsearch::Domain
1 Missing NodeToNodeEncryptionOptions block means node to node encryption is NOT enabled.

Mitigation / Fix

Buildtime

CloudFormation

{
  "Resources": {
    "MyElasticsearchDomain": {
      "Type": "AWS::Elasticsearch::Domain",
      "Properties": {
        "NodeToNodeEncryptionOptions": {
          "Enabled": true (1)
        }
      }
    }
  }
}
1 NodeToNodeEncryptionOptions/Enabled set to true means node to node encryption is enabled. 
Resources:
  MyElasticsearchDomain:
    Type: AWS::Elasticsearch::Domain
    Properties:
      NodeToNodeEncryptionOptions:
        Enabled: True (1)
1 NodeToNodeEncryptionOptions/Enabled set to true means node to node encryption is enabled.

Runtime

AWS Console

To enable node-to-node encryption go to the Amazon Management Console:

  • Open the AWS ES console.

  • Navigate to the Analytics section and select Elasticsearch Service.

  • To enable node-to-node encryption when you configure a new cluster, select Node-to-node encryption.