🛡️ AWS OpenSearch Domain Node To Node Encryption is not enabled🟢

• Contextual name: 🛡️ Domain Node To Node Encryption is not enabled🟢
• ID: /ce/ca/aws/opensearch/domain-node-to-node-encryption
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS OpenSearch Domain
  • 🔌 AWS OpenSearch Domain - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Opensearch.3] OpenSearch domains should encrypt data sent between nodes
• AWS Security Hub: [ES.3] Elasticsearch domains should encrypt data sent between nodes

Description

Open File

Description

This policy identifies AWS OpenSearch Domains that do not have node-to-node encryption enabled.

Node-to-node encryption in AWS OpenSearch Service adds an additional layer of security by using TLS for all communication between nodes in a cluster. This prevents potential attackers from intercepting or reading data as it moves between nodes.

Rationale

Encrypting data in transit between nodes protects against man-in-the-middle and eavesdropping attacks, even within your VPC. While network-level controls such as security groups provide a first line of defense, node-to-node encryption ensures that traffic between OpenSearch nodes remains unreadable if an unauthorized party gains network access. This is especially important in environments handling sensitive or regulated data.

Audit

This policy flags an AWS OpenSearch Domain as INCOMPLIANT if the Node To Node Encryption Enabled checkbox is set to false.

Remediation

Open File

Remediation

Enable Node-to-node Encryption

To enable Node-to-node encryption of data, the domain must be running OpenSearch or Elasticsearch version 6.7 or later.

aws opensearch update-domain-config \
    --domain-name {{domain-name}} \
    --node-to-node-encryption-options Enabled=true

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ES.3] Elasticsearch domains should encrypt data sent between nodes			1		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Opensearch.3] OpenSearch domains should encrypt data sent between nodes			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			54		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	85		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			31		no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	19		no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	18		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	32		no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	15		no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		19		no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			18		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		69		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			31		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		19		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			18		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			32		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			15		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			72		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			159		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			135		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			151		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			98		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	95		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			31		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	17		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			9		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		21		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		9		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			8		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	24		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		24		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	24		no data