Skip to content

Elasticsearch domain isn't encrypted at rest.

Default Severity: high

Explanation

You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.

Possible Impact

Data will be readable if compromised

Suggested Resolution

Enable ElasticSearch domain encryption

Insecure Example

The following example will fail the aws-elastic-search-enable-domain-encryption check.

 resource "aws_elasticsearch_domain" "bad_example" {
   domain_name = "domain-foo"

   encrypt_at_rest {
     enabled = false
   }
 }

Secure Example

The following example will pass the aws-elastic-search-enable-domain-encryption check.

 resource "aws_elasticsearch_domain" "good_example" {
   domain_name = "domain-foo"

   encrypt_at_rest {
     enabled = true
   }
 }