AWS Config Rule: Elasticsearch Encrypted at Rest

Description: Checks if Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled.

Trigger type: Periodic

AWS Region: All supported AWS regions except Asia Pacific (Jakarta), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Israel (Tel Aviv), Canada West (Calgary), Europe (Spain), Europe (Zurich) Region

To resolve this manually, you will need to ensure that the Enable encryption of data at rest is enabled within the configuration of an Elastisearch domain.

Encryption at rest secures the indices and automated snapshots associated with the domain.

You are also able to define your chosen KMS master key for the encryption, and are presented with the choice between the Default AWS/ES key and a CMK you already have stored in your vault.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here