ElasticSearch Domains Should Be Encrypted
ElasticSearch domains should be encrypted with KMS. ElasticSearch domains should be encrypted to ensure data at rest is secured.
ElasticSearch domains should be encrypted with KMS. ElasticSearch domains should be encrypted to ensure data at rest is secured.
ElasticSearch domains are configured to enforce HTTPS connections. ElasticSearch domains should be configured to enforce HTTPS connections for all clients to ensure encryption of data in transit.
ElasticSearch domains should be configured to log data to CloudWatch. ElasticSearch domains should be configured with logging enabled with logs sent to CloudWatch for analysis and long-term storage.
ElasticSearch domain traffic should be encrypted in transit between nodes. ElasticSearch domains should use node-to-node encryption to ensure data in transit remains encrypted using TLS 1.2.
ElasticSearch domains should be created with private VPC endpoint options. ElasticSearch domains can either be created with a public endpoint or with a VPC configuration that enables internal VPC communication. Domains should be created without a public endpoint to prevent potential public access to the domain.
ElasticSearch domains should be running the latest service software. ElasticSearch domains should be configured to run the latest service software which often contains security updates.
AWS ElasticSearch (ES) clusters should be healthy, i.e. they all have shard allocation status set to "Green"
Your Amazon ElasticSearch (ES) domains should be encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys
Scale up any Amazon ElasticSearch (ES) clusters that appear to run low on disk space to help mitigate any issues.
The access to your Elasticsearch Service (ES) domains should be made based on whitelisted IP addresses only in order to protect them against unauthorized access
All your Elasticsearch Service (ES) clusters should be configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access
Your AWS Elasticsearch Service (ES) clusters should be using dedicated master nodes to improve their environmental stability by offloading all the management tasks from the cluster data nodes.
Determine if the Elasticsearch (ES) instances provisioned in your AWS account have the desired instance type established by your organization based on the workload deployed.
AWS Elasticsearch domains should not be publicly accessible their access policy should be updated in order to stop any unsigned requests made to these resources
Your Amazon Elasticsearch (ES) clusters should be using General Purpose SSD (gp2) data nodes instead of Provisioned IOPS SSD (io1) nodes for cost-effective storage that fits a broad range of workloads
The number of Amazon Elasticsearch cluster instances provisioned in your AWS account should not have reached the limit quota established by your organization
Your AWS Elasticsearch Reserved Instances (RIs) should be renewed before expiration in order to get a significant discount on the hourly charges.
Your AWS Elasticsearch Reserved Instances (RIs) should be renewed before expiration in order to get a significant discount on the hourly charges.
Your AWS Account should not have any failed Amazon Elasticsearch (ES) Reserved Instances.
Identify any pending Amazon Elasticsearch (ES) Reserved Instances available in your AWS account and solve these incomplete ES reservations by requesting AWS Support to retry the necessary payments
All active Amazon Elasticsearch (ES) Reserved Instance purchases should be reviewed every 7 days to make sure that no unwanted RI purchase has been placed recently.
AWS Elasticsearch (ES) cross-zone replication (Zone Awareness) should be enabled to increase the availability of your ES clusters
Amazon Elasticsearch (ES) clusters should not appear to be idle. Such idle clusters should be removed from your account to help lower the cost of your monthly AWS bill.
If you are not yet convinced to sign up with Cloudanix, that's not a problem. We recommend you use a comprehensive checklist which your team can use to perform a manual assessment of your workload.