AWS Elasticsearch domain Encryption for data at rest is disabled
Description
This policy identifies Elasticsearch domains for which encryption is disabled. Encryption of data at rest is required to prevent unauthorized users from accessing the sensitive information available on your Elasticsearch domains components. This may include all data of file systems, primary and replica indices, log files, memory swap files and automated snapshots. The Elasticsearch uses AWS KMS service to store and manage the encryption keys. It is highly recommended to implement encryption at rest when you are working with production data that have sensitive information, to protect from unauthorized access.
Code Example
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
encrypt_at_rest {
enabled = true
}
}Remediation
Terraform
- Resource: aws_elasticsearch_domain
- Arguments: encrypt_at_rest
To fix this issue, you should ensure that your Elasticsearch domain configuration has the `encrypt_at_rest` property enabled. Below is an example of how to set this property in a Terraform configuration:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0059 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_5 |