Control: 3 Amazon Elasticsearch Service domains should encrypt data sent between nodes
Description
This control checks whether Amazon ES domains have node-to-node encryption enabled.
HTTPS (TLS) can be used to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. Only encrypted connections over HTTPS (TLS) should be allowed. Enabling node-to-node encryption for Amazon ES domains ensures that intra-cluster communications are encrypted in transit.
There can be a performance penalty associated with this configuration. You should be aware of and test the performance trade-off before enabling this option.
Remediation
Node-to-node encryption can only be enabled on a new domain. To remediate this finding, first Create a new domain with the Node-to-node encryption check box selected. Then follow Using a snapshot to migrate data to migrate your data to the new domain.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_es_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_es_3 --shareSQL
This control uses a named query:
select arn as resource, case when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip' when not enabled then 'alarm' else 'ok' end as status, case when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.' when not enabled then title || ' node-to-node encryption disabled.' else title || ' node-to-node encryption enabled.' end as reason , region, account_idfrom aws_elasticsearch_domain;