enable-in-transit-encryption
Default Severity: high
Explanation
Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private.
Possible Impact
In transit data between nodes could be read if intercepted
Suggested Resolution
Enable encrypted node to node communication
Insecure Example
The following example will fail the aws-elastic-search-enable-in-transit-encryption check.
resource "aws_elasticsearch_domain" "bad_example" {
domain_name = "domain-foo"
node_to_node_encryption {
enabled = false
}
}
Secure Example
The following example will pass the aws-elastic-search-enable-in-transit-encryption check.
resource "aws_elasticsearch_domain" "good_example" {
domain_name = "domain-foo"
node_to_node_encryption {
enabled = true
}
}