Amazon Elasticsearch Service (ES) is a managed service to host Elasticsearch instances.
To harden domain (cluster) data in case of unauthorized access, ES provides data-at-rest encryption if the Elasticsearch version is 5.1 or above.
Enabling encryption at rest will help protect:
- indices
- logs
- swap files
- data in the application directory
- automated snapshots
Thus, if adversaries gain physical access to the storage medium, they cannot access the data.
Ask Yourself Whether
- The database contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to encrypt Elasticsearch domains that contain sensitive information.
Encryption and decryption are handled transparently by ES, so no further modifications to the application are necessary.
Sensitive Code Example
For aws_elasticsearch_domain:
resource "aws_elasticsearch_domain" "elasticsearch" {
encrypt_at_rest {
enabled = false # Sensitive, disabled by default
}
}
Compliant Solution
For aws_elasticsearch_domain:
resource "aws_elasticsearch_domain" "elasticsearch" {
encrypt_at_rest {
enabled = true
}
}
See
