Skip to main content

More Info:

ElasticSearch domains should be encrypted with KMS. ElasticSearch domains should be encrypted to ensure data at rest is secured.

Risk Level

High

Address

Security

Compliance Standards

HIPAA, GDPR, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the ElasticSearch Domains Should Be Encrypted misconfiguration in AWS using the AWS console, follow these steps:
  1. Log in to the AWS Management Console.
  2. Navigate to the Amazon ElasticSearch Service.
  3. Select the Elasticsearch domain you want to remediate.
  4. Click on the “Edit” button in the “Encryption” section.
  5. Select the “Encrypt” option.
  6. Choose the KMS key that you want to use for encryption.
  7. Click on the “Save” button to apply the changes.
Once you have completed these steps, the ElasticSearch domain will be encrypted using the KMS key that you selected, and the misconfiguration will be remediated.

To remediate ElasticSearch domains that are not encrypted in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI and navigate to the AWS Elasticsearch service.
  2. Check the status of your Elasticsearch domains by running the following command: 
aws es list-domain-names
  1. Identify the domain that needs to be encrypted and run the following command to update the domain configuration:
aws es update-elasticsearch-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=true
This will enable encryption at rest for the Elasticsearch domain.
  1. Verify that the domain is now encrypted by running the following command:
aws es describe-elasticsearch-domain --domain-name <domain-name> | grep EncryptionAtRestOptions
This should return a response that includes the following:
"EncryptionAtRestOptions": {
    "Enabled": true
}
This confirms that the domain is now encrypted at rest.
  1. Repeat these steps for any other Elasticsearch domains that need to be encrypted.
Note: It is important to ensure that all Elasticsearch domains are encrypted to protect sensitive data.
To remediate the ElasticSearch Domains Should Be Encrypted misconfiguration for AWS using Python, you can follow the below steps:
  1. Install the AWS SDK for Python (Boto3) using pip:
pip install boto3
  1. Import the necessary libraries:
import boto3
from botocore.exceptions import ClientError
  1. Set up the AWS credentials:
aws_access_key_id = 'YOUR_AWS_ACCESS_KEY_ID'
aws_secret_access_key = 'YOUR_AWS_SECRET_ACCESS_KEY'
region_name = 'YOUR_AWS_REGION_NAME'
  1. Create an AWS ElasticSearch client:
es_client = boto3.client('es', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region_name)
  1. Get a list of all ElasticSearch domains:
response = es_client.list_domain_names()
domain_names = [domain['DomainName'] for domain in response['DomainNames']]
  1. For each domain, check if it is encrypted:
for domain_name in domain_names:
    try:
        response = es_client.describe_elasticsearch_domain(DomainName=domain_name)
        encryption_at_rest_options = response['DomainStatus']['EncryptionAtRestOptions']
        if not encryption_at_rest_options['Enabled']:
            # Enable encryption
            es_client.update_elasticsearch_domain_config(DomainName=domain_name, EncryptionAtRestOptions={'Enabled': True})
            print(f"ElasticSearch domain {domain_name} has been encrypted.")
    except ClientError as e:
        print(f"Error checking encryption for ElasticSearch domain {domain_name}: {e}")
  1. Run the Python script to remediate the misconfiguration.
Note: Make sure to replace the placeholders YOUR_AWS_ACCESS_KEY_ID, YOUR_AWS_SECRET_ACCESS_KEY, and YOUR_AWS_REGION_NAME with your AWS credentials and region name.

Additional Reading:

I