Elasticsearch Domain Should Be Encrypted with KMS CMKs

More Info:

Your Amazon ElasticSearch (ES) domains should be encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys

Risk Level

High

Address

Security

Compliance Standards

HIPAA

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the Elasticsearch Domain misconfiguration in AWS using AWS CLI, you can follow these steps:

Identify the Elasticsearch domain that needs to be encrypted with KMS CMKs.
Create a KMS Customer Master Key (CMK) if you don’t already have one.
Enable AWS Key Management Service (KMS) encryption for the Elasticsearch domain using the following command:

aws es update-elasticsearch-domain-config --domain-name <your-domain-name> --encryption-at-rest-options Enabled=true,KmsKeyId=<your-KMS-CMK-ARN>

Replace <your-domain-name> with the name of your Elasticsearch domain and <your-KMS-CMK-ARN> with the ARN of the KMS CMK you want to use for encryption.

Verify that the Elasticsearch domain is encrypted with KMS CMKs by running the following command:

aws es describe-elasticsearch-domain --domain-name <your-domain-name> --query 'DomainStatus.EncryptionAtRestOptions.Status'

If the output is ENABLED, it means that the Elasticsearch domain is encrypted with KMS CMKs.

Repeat the above steps for all Elasticsearch domains that need to be encrypted with KMS CMKs.

Note: Enabling KMS encryption for an Elasticsearch domain may cause a temporary outage as the domain is reconfigured. It is recommended to perform this during a maintenance window.

Using Python

To remediate the Elasticsearch Domain should be encrypted with KMS CMKs misconfiguration for AWS using python, you can follow the below steps:

First, you need to identify the Elasticsearch Domain that is not encrypted with KMS CMKs. You can use the following AWS CLI command to get the list of Elasticsearch domains:

aws es list-domain-names

Once you have identified the Elasticsearch Domain, you need to enable encryption using KMS CMKs. You can use the following AWS CLI command to enable encryption:

aws es update-elasticsearch-domain-config --domain-name <domain-name> --encryption-at-rest-options Enabled=true,KmsKeyId=<kms-key-id>

Replace <domain-name> with the name of your Elasticsearch Domain and <kms-key-id> with the ID of the KMS CMK that you want to use for encryption.

Verify that the Elasticsearch Domain is encrypted with KMS CMKs. You can use the following AWS CLI command to get the Elasticsearch Domain configuration:

aws es describe-elasticsearch-domain --domain-name <domain-name>

This command will return the Elasticsearch Domain configuration, which should include the EncryptionAtRestOptions parameter with the value Enabled=true and KmsKeyId=<kms-key-id>.

Finally, you can confirm that the Elasticsearch Domain is encrypted with KMS CMKs by checking the AWS KMS console. The KMS CMK that you specified in step 2 should have been used to encrypt the Elasticsearch Domain.

Note: You can use the AWS SDK for Python (Boto3) to automate these steps.

Additional Reading:

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Elasticsearch Domain Should Be Encrypted with KMS CMKs

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: