Skip to main content

More Info:

Your Amazon ElasticSearch (ES) domains should be encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys

Risk Level

High

Address

Security

Compliance Standards

HIPAA

Triage and Remediation

  • Remediation

Remediation

Using Console

Sure, here are the step by step instructions to remediate the Elasticsearch Domain Should Be Encrypted with KMS CMKs on AWS:
  1. Login to your AWS console and navigate to the Elasticsearch service.
  2. Select the Elasticsearch domain that needs to be remediated.
  3. Click on the “Configure” button in the “Security” section.
  4. In the “Encryption” section, select the “KMS” option.
  5. Select the appropriate KMS CMK from the list of available keys. If you don’t have a KMS CMK, you can create one by clicking the “Create a new key” button.
  6. Once you have selected the KMS CMK, click the “Save changes” button to apply the encryption.
  7. Wait for the changes to take effect. This may take a few minutes.
  8. Verify that the Elasticsearch domain is now encrypted with the selected KMS CMK. You can do this by checking the “Encryption” section in the Elasticsearch domain’s configuration.
That’s it! You have successfully remediated the Elasticsearch Domain Should Be Encrypted with KMS CMKs issue on AWS.

To remediate the Elasticsearch Domain misconfiguration in AWS using AWS CLI, you can follow these steps:
  1. Identify the Elasticsearch domain that needs to be encrypted with KMS CMKs.
  2. Create a KMS Customer Master Key (CMK) if you don’t already have one.
  3. Enable AWS Key Management Service (KMS) encryption for the Elasticsearch domain using the following command: 
aws es update-elasticsearch-domain-config --domain-name <your-domain-name> --encryption-at-rest-options Enabled=true,KmsKeyId=<your-KMS-CMK-ARN>
Replace <your-domain-name> with the name of your Elasticsearch domain and <your-KMS-CMK-ARN> with the ARN of the KMS CMK you want to use for encryption.
  1. Verify that the Elasticsearch domain is encrypted with KMS CMKs by running the following command:
aws es describe-elasticsearch-domain --domain-name <your-domain-name> --query 'DomainStatus.EncryptionAtRestOptions.Status'
If the output is ENABLED, it means that the Elasticsearch domain is encrypted with KMS CMKs.
  1. Repeat the above steps for all Elasticsearch domains that need to be encrypted with KMS CMKs.
Note: Enabling KMS encryption for an Elasticsearch domain may cause a temporary outage as the domain is reconfigured. It is recommended to perform this during a maintenance window.
To remediate the Elasticsearch Domain should be encrypted with KMS CMKs misconfiguration for AWS using python, you can follow the below steps:
  1. First, you need to identify the Elasticsearch Domain that is not encrypted with KMS CMKs. You can use the following AWS CLI command to get the list of Elasticsearch domains:
aws es list-domain-names
  1. Once you have identified the Elasticsearch Domain, you need to enable encryption using KMS CMKs. You can use the following AWS CLI command to enable encryption:
aws es update-elasticsearch-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=true,KmsKeyId=<kms-key-id>
Replace <domain-name> with the name of your Elasticsearch Domain and <kms-key-id> with the ID of the KMS CMK that you want to use for encryption.
  1. Verify that the Elasticsearch Domain is encrypted with KMS CMKs. You can use the following AWS CLI command to get the Elasticsearch Domain configuration:
aws es describe-elasticsearch-domain --domain-name <domain-name>
This command will return the Elasticsearch Domain configuration, which should include the EncryptionAtRestOptions parameter with the value Enabled=true and KmsKeyId=<kms-key-id>.
  1. Finally, you can confirm that the Elasticsearch Domain is encrypted with KMS CMKs by checking the AWS KMS console. The KMS CMK that you specified in step 2 should have been used to encrypt the Elasticsearch Domain.
Note: You can use the AWS SDK for Python (Boto3) to automate these steps.

Additional Reading:

I