Skip to content

Configure Instance Type To Support Encryption At Rest

Description

Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. Some compliance regulations such as PCI DSS and HIPAA require that data at rest be encrypted throughout the data lifecycle. To this end, AWS provides data-at-rest options and key management to support the encryption process.

Amazon Elasticsearch domains offer encryption of data at rest. This feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the following aspects of a domain:

  • All indices (including those in UltraWarm storage)
  • Elasticsearch logs
  • Swap files
  • All other data in the application directory
  • Automated snapshots

However, the following instance types don't support encryption at rest for Amazon Elasticsearch:

  • m3
  • r3
  • t2

Information about supported instance types can be found in the Amazon Elasticsearch documentation.

Rationale

Encryption at rest is required by many compliance standards, and is a best practice.

Applies To

  • Databases

Tags

This rule is applied when the following tags are present:

Tag With Value
secureclouddb/provider aws
secureclouddb/service elasticsearch

Default Rule

const { isAwsElasticsearch } = aws

/**
 * @param {Object} databaseSettings - database settings object
 * @returns {boolean} true if the instance type supports encryption at rest
 */
function validate(databaseSettings) {
    const unsupportedTypes = ["m3", "r3", "t2"]

    const instanceType =
                 isAwsElasticsearch(databaseSettings) &&
                 databaseSettings.awsDatabaseInstance.elasticsearchDomain.elasticsearchClusterConfig &&
                 databaseSettings.awsDatabaseInstance.elasticsearchDomain.elasticsearchClusterConfig.instanceType

    if (!instanceType) {
        return {
            success: false
        }
    }

    const success = !unsupportedTypes.some(v => instanceType.startsWith(v))

    return {
        success,
    }
}

// invoke
validate(databaseSettings);