enable-domain-encryption
Explanation
You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.
Possible Impact
Data will be readable if compromised
Suggested Resolution
Enable ElasticSearch domain encryption
Insecure Example
The following example will fail the aws-elastic-service-enable-domain-encryption check.
resource "aws_elasticsearch_domain" "bad_example" {
domain_name = "domain-foo"
encrypt_at_rest {
enabled = false
}
}
Secure Example
The following example will pass the aws-elastic-service-enable-domain-encryption check.
resource "aws_elasticsearch_domain" "good_example" {
domain_name = "domain-foo"
encrypt_at_rest {
enabled = true
}
}