Skip to main content

More Info:

This rule checks whether Amazon OpenSearch Service nodes are encrypted end-to-end. Node-to-node encryption ensures that communication between nodes within the OpenSearch domain is encrypted, enhancing the security of data transmission. The rule is marked as non-compliant if node-to-node encryption is not enabled on the domain.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration of Node-to-Node Encryption not being enabled on an AWS OpenSearch Service domain, you can follow these step-by-step instructions using the AWS Management Console:
  1. Navigate to AWS OpenSearch Service Console:
    • Go to the AWS Management Console (https://console.aws.amazon.com/)
    • In the “Find services” search bar, type “OpenSearch Service” and select it from the dropdown.
  2. Select the OpenSearch Service Domain:
    • From the list of OpenSearch Service domains, select the domain for which you want to enable Node-to-Node Encryption.
  3. Enable Node-to-Node Encryption:
    • In the domain dashboard, click on the domain name to go to the domain details page.
    • In the left-hand navigation pane, click on the “Configure domain” tab.
  4. Edit the Security Configuration:
    • Scroll down to the “Security” section and click on the “Edit” button next to the “Node-to-Node Encryption” setting.
  5. Enable Node-to-Node Encryption:
    • Toggle the switch to enable Node-to-Node Encryption.
    • You may also have the option to provide a custom encryption key or use the default AWS managed key.
  6. Save Changes:
    • Once you have enabled Node-to-Node Encryption, click on the “Save changes” button to apply the configuration.
  7. Verify Node-to-Node Encryption:
    • To ensure that Node-to-Node Encryption is successfully enabled, you can check the domain status or perform a test query to confirm the encryption is in place.
  8. Monitor the Domain:
    • After enabling Node-to-Node Encryption, monitor the domain for any issues and ensure that all nodes are communicating securely.
By following these steps, you can successfully remediate the misconfiguration of Node-to-Node Encryption not being enabled on an AWS OpenSearch Service domain using the AWS Management Console.

To remediate the misconfiguration of enabling Node-to-Node Encryption for AWS OpenSearch Service domains using AWS CLI, you can follow these steps:
  1. Enable Node-to-Node Encryption: Run the following AWS CLI command to enable Node-to-Node encryption for your OpenSearch Service domain: 
    aws opensearchservice update-domain-config --domain-name YOUR_DOMAIN_NAME --node-to-node-encryption-options Enabled=true
    Replace YOUR_DOMAIN_NAME with the name of your OpenSearch Service domain.
  2. Verify Node-to-Node Encryption: You can verify that Node-to-Node encryption is enabled for your OpenSearch Service domain by describing the domain configuration: 
    aws opensearchservice describe-domain-config --domain-name YOUR_DOMAIN_NAME
    Ensure that the NodeToNodeEncryptionOptions parameter shows Enabled: true.
  3. Monitor the Configuration: It is recommended to monitor the OpenSearch Service domain for any issues after enabling Node-to-Node encryption to ensure that the domain continues to function properly.
By following these steps, you can successfully remediate the misconfiguration of enabling Node-to-Node Encryption for AWS OpenSearch Service domains using the AWS CLI.
To remediate the misconfiguration of enabling Node-to-Node Encryption for AWS OpenSearch Service domains using Python, you can utilize the AWS SDK for Python (Boto3) to update the domain configuration. Here are the step-by-step instructions to remediate this issue:
  1. Install Boto3: Ensure you have Boto3 installed in your Python environment. You can install it using pip:
pip install boto3
  1. Update OpenSearch Domain Configuration: Create a Python script with the following code to update the OpenSearch domain configuration to enable Node-to-Node Encryption:
import boto3

def update_opensearch_domain_config(domain_name):
    client = boto3.client('es')
    
    response = client.update_elasticsearch_domain_config(
        DomainName=domain_name,
        NodeToNodeEncryptionOptions={
            'Enabled': True
        }
    )
    
    print(f"Node-to-Node Encryption enabled for OpenSearch domain {domain_name}")

# Replace 'your-opensearch-domain-name' with the actual OpenSearch domain name
update_opensearch_domain_config('your-opensearch-domain-name')
  1. Configure AWS Credentials: Ensure that your AWS credentials are properly configured either through environment variables, AWS CLI configuration, or IAM roles.
  2. Run the Python Script: Execute the Python script you created in step 2. This script will update the specified OpenSearch domain configuration to enable Node-to-Node Encryption.
After running the script, the Node-to-Node Encryption should be successfully enabled for the specified AWS OpenSearch Service domain.
I