Skip to content

Elasticsearch: Ensure data at rest is encrypted

Description

Amazon Elasticsearch domains offer encryption of data at rest, a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption.

If enabled, the feature encrypts the following aspects of a domain:

  • Indices
  • Elasticsearch logs
  • Swap files
  • All other data in the application directory
  • Automated snapshots

Rationale

Encrypting storage at rest is critical as it prevents an adversary that acquires physical access to the underlying data storage from accessing your data.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if encryption at rest is enabled
 */
function validate(databaseSettings) {

    const success =
        databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.encryptionAtRestOptions &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.encryptionAtRestOptions.enabled

    return {
        success,
    }
}

// invoke
validate(databaseSettings);