π‘οΈ AWS OpenSearch Domain Node To Node Encryption is not enabledπ’
- Contextual name: π‘οΈ Domain Node To Node Encryption is not enabledπ’
- ID:
/ce/ca/aws/opensearch/domain-node-to-node-encryption - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [Opensearch.3] OpenSearch domains should encrypt data sent between nodes
- AWS Security Hub: [ES.3] Elasticsearch domains should encrypt data sent between nodes
Descriptionβ
Descriptionβ
This policy identifies AWS OpenSearch Domains that do not have node-to-node encryption enabled.
Node-to-node encryption in AWS OpenSearch Service adds an additional layer of security by using TLS for all communication between nodes in a cluster. This prevents potential attackers from intercepting or reading data as it moves between nodes.
Rationaleβ
Encrypting data in transit between nodes protects against man-in-the-middle and eavesdropping attacks, even within your VPC. While network-level controls such as security groups provide a first line of defense, node-to-node encryption ensures that traffic between OpenSearch nodes remains unreadable if an unauthorized party gains network access. This is especially important in environments handling sensitive or regulated data.
Auditβ
This policy flags an AWS OpenSearch Domain as
INCOMPLIANTif theNode To Node Encryption Enabledcheckbox is set to false.
Remediationβ
Remediationβ
Enable Node-to-node Encryptionβ
To enable Node-to-node encryption of data, the domain must be running OpenSearch or Elasticsearch version 6.7 or later.
aws opensearch update-domain-config \
--domain-name {{domain-name}} \
--node-to-node-encryption-options Enabled=true
Applying node-to-node encryption triggers a blue/green update of the domain, which may cause a brief period of reduced availability or increased latency. Plan the change accordingly.