Ensure that encryption of data at rest is enabled on Elasticsearch domains

The encryption of data at rest is a security feature that helps prevent unauthorized access to your data. When the feature is enabled, it encrypts sensitive information on your Elasticsearch domains and their storage systems such as Indices, Elasticsearch Logs, Swap files, automated snapshots and all other data in the application directory. The ElasticSearch at-rest encryption feature uses AWS KMS service to store and manage the encryption keys.

Risk Level: High
Cloud Entity: Amazon ElasticSearch service
CloudGuard Rule ID: D9.AWS.CRY.45
Category: Analytics


ElasticSearchDomain should have encryptionAtRestOptions.enabled=true


From Portal
By default, data at rest encryption is not enabled for Amazon OpenSearch Service domains, and you can't enable encryption for existing domains. To enable the encryption feature, you must create another domain and migrate your data. Encryption of data at rest requires Elasticsearch 5.1 or later.

  1. Sign in to your AWS Console and select the Amazon OpenSearch Service.
  2. Select Create a new domain.
  3. Under Deployment type, go to 'Version' and select ElasticSearch version from dropdown list.
  4. Under 'Encryption' section, select the checkmark 'Enable encryption of data at rest'
  5. Continue configure your cluster for other settings and click on Create.

Note: Follow 'References' section for detailed guidelines for creating a new domain.

From TF

resource "aws_elasticsearch_domain" "test" {
	domain_name           = "example"
	elasticsearch_version = "1.5"
	+ encrypt_at_rest {
		+     enabled = true
	+ }

From Command Line

aws es create-elasticsearch-domain --region us-east-1 --domain-name NEW_DOMAIN_NAME --elasticsearch-version VERSION_VALUE --elasticsearch-cluster-config InstanceType=EXAMPLE_INSTANCE_TYPE,InstanceCount=VALUE --ebs-options EBSEnabled=TRUE/FALSE,VolumeType=VALUE,VolumeSize=VALUE --access-policies file://domain_policy.json --vpc-options SubnetIds=SUBNET_ID,SecurityGroupIds=SG_ID --encryption-at-rest-options Enabled=TRUE,KmsKeyId=KMS_KEY


  1. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomains
  2. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
  3. https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html

Amazon ElasticSearch service

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and run Elasticsearch cost effectively at scale. You can build, monitor, and troubleshoot your applications using the tools you love, at the scale you need. The service provides support for open source Elasticsearch APIs, managed Kibana, integration with Logstash and other AWS services, and built-in alerting and SQL querying. Amazon Elasticsearch Service lets you pay only for what you use ��� there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get the ELK stack you need, without the operational ov

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5