Severity: High
Description: This control ensures node-to-node encryption is enabled on AWS Elasticsearch Service domains. Node-to-node encryption feature provided by Amazon ES provides an additional layer of security. Node-to-node encryption is not enabled by default on Amazon ES.
Remediation Steps:
Perform following to enable node to node encryption:
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to ES console.
Step 1: To migrate data from one ES to another ES
Register the same manual snapshot repository on both source and destination by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-registerdirectory.
Take a manual snapshot of the source Elasticsearch domain by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-create.
Restore the snapshot to the destination domain by referring https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html#es-managedomains-snapshot-restore.
Step 2 : Creating new Elasticsearch Service domain
Click Create a new domain button.
Fill in appropriate settings for the new Elasticsearch Service domain.
In the Encryption, section ensures node-to-node encryption option is checked.
Important:
You cannot enable node-to-node configuration for the existing Elasticsearch Service domain. you need to create a new Elasticsearch Service domain with node-to-node encryption enabled and migrate data from the old domain.
Reference: