Skip to content

Elasticsearch: Ensure Cross Node Encryption Enabled

Description

Configure your domains to require that all traffic between nodes uses TLS so that your data can not be compromised from inside your cluster.

Rationale

Enabling TLS on communication between nodes in your Elasticsearch cluster decreases the chance that data could be compromised from agents listening on cross node traffic.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

/**
 * @param {Object} awsElasticsearchDomainStatus - Elasticsearch Domain Status
 * @returns {boolean} true if the node to node encryption feature is enabled
 */
function validate(databaseSettings) {

    const success =
        databaseSettings.awsDatabaseInstance &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.nodeToNodeEncryptionOptions &&
        databaseSettings.awsDatabaseInstance.elasticsearchDomain.nodeToNodeEncryptionOptions.enabled

    return {
        success,
    }
}

// invoke
validate(databaseSettings);