🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: OpenSearch domains node-to-node encryption should be enabled

Description

This control checks if AWS OpenSearch Service nodes are encrypted end to end. The rule is non-compliant if the node-to-node encryption is not enabled on the domain.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.opensearch_domain_node_to_node_encryption_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.opensearch_domain_node_to_node_encryption_enabled --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip'
    when node_to_node_encryption_options_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.'
    when node_to_node_encryption_options_enabled then title || ' node-to-node encryption enabled.'
    else title || ' node-to-node encryption disabled.'
  end as reason
  
  , region, account_id
from
  aws_opensearch_domain;

Tags

category = Compliance
gxp_21_cfr_part_11 = true
gxp_eu_annex_11 = true
hipaa_final_omnibus_security_rule_2013 = true
hipaa_security_rule_2003 = true
nist_800_171_rev_2 = true
nist_csf = true
nydfs_23 = true
plugin = aws
service = AWS/OpenSearch