AWS Config Rule: OpenSearch Encrypted at Rest

Description: Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled. Note: The rule does not evaluate Elasticsearch domains.

Trigger type: Configuration changes

AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Europe (Spain), China (Ningxia), Europe (Zurich) Region

This config rule checks whether an Amazon OpenSearch domain has encryption at rest enabled. The rule will be marked as non-compliant if any Domain is found with the Encryption at rest option disabled.

To resolve this manually, you will need to first go to the Amazon OpenSearch Service within your AWS Console. Ensure to select the correct region from where your OpenSearch domain is located.

Once you are there, choose the domain you want to enable the the encryption for and then enable Encryption at rest from the Security configuration tab. Check the following picture as reference:

Take into account that this rule does not check Elasticsearch domains.

Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here