Skip to main content

πŸ›‘οΈ AWS OpenSearch Domain is not encrypted at rest🟒

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS OpenSearch Domains that do not have encryption at rest enabled.

When enabled, encryption at rest secures the following data within the domain:

  • All indexes, including those stored in UltraWarm storage
  • OpenSearch logs
  • Swap files
  • All other data in the application directory
  • Automated snapshots

The following components are not encrypted when you enable encryption at rest, but you can take additional steps to protect them:

  • Manual snapshots: AWS KMS keys cannot be used to encrypt manual snapshots. However, you can use server-side encryption (SSE) with S3-managed keys or KMS keys to encrypt the Amazon S3 bucket used as the snapshot repository.
  • Slow logs and error logs: If you publish logs to Amazon CloudWatch Logs, you can encrypt the corresponding log group using the same AWS KMS key as your OpenSearch Service domain.

Rationale​

Enabling encryption at rest for OpenSearch domains helps protect data from unauthorized access to the underlying storage. It uses AWS KMS to manage encryption keys, providing a strong layer of protection and supporting compliance with data security and privacy requirements.

... see more

Remediation​

Open File

Remediation​

Enable Encryption at Rest​

To enable encryption of data at rest, the domain must be running OpenSearch or Elasticsearch version 6.7 or later.

Specify your preferred KMS key ARN.

aws opensearch update-domain-config \
    --domain-name {{domain-name}} \
    --encryption-at-rest-options Enabled=true,KmsKeyId={{kms-key-id}}

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.1] Elasticsearch domains should have encryption at-rest enabled1no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.1] OpenSearch domains should have encryption at rest enabled1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC08-BP02 Enforce encryption at rest20no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption70no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3(6) Cryptography Management (H)17no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(10) Prevent Exfiltration (H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)1736no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)525no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)25no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28 Protection of Information at Rest (L)(M)(H)136no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-28(1) Cryptographic Protection (L)(M)(H)25no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected187no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected160no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected184no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CA-9(1) Internal System Connections _ Compliance Checks54no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-3(6) Configuration Change Control _ Cryptography Management17no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(10) Boundary Protection _ Prevent Exfiltration18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28 Protection of Information at Rest31737no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-28(1) Protection of Information at Rest _ Cryptographic Protection1025no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection27no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.1065no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.628no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.28no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.15no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.3.5 Permit only β€œestablished” connections into the network.28no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 7.2.1 Coverage of all system components.11no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.28no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.1 Inbound traffic to the CDE is restricted.765no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.3.2 Outbound traffic from the CDE is restricted.65no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.728no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.11no data