AWS-ES-ElasticSearch-Node-To-Node-Encryption

Severity: High

Description: This control ensures node-to-node encryption is enabled on AWS Elasticsearch Service domains. Node-to-node encryption feature provided by Amazon ES provides an additional layer of security. Node-to-node encryption is not enabled by default on Amazon ES.

Remediation Steps:

Perform following to enable node to node encryption:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to ES console.

3.  Step 1: To migrate data from one ES to another ES

   1. Register the same manual snapshot repository on both source and destination by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-registerdirectory. 

   2. Take a manual snapshot of the source Elasticsearch domain by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-create. 

   3. Restore the snapshot to the destination domain by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-restore.

4. Step 2 : Creating new Elasticsearch Service domain

   1. Click Create a new domain button.

   2. Fill in appropriate settings for the new Elasticsearch Service domain. 

   3. In the Encryption, section ensures node-to-node encryption option is checked.

Important:

You cannot enable node-to-node configuration for the existing Elasticsearch Service domain. you need to create a new Elasticsearch Service domain with node-to-node encryption enabled and migrate data from the old domain.

Reference:

• Node-to-node encryption for Amazon OpenSearch Service - Amazon OpenSearch Service