Enable Encryption at Rest for OpenSearch Domains
Ensures that OpenSearch domains have encryption at rest enabled, using AWS KMS and AES-256 to secure sensitive data.
| Rule | OpenSearch domains should have encryption at rest enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
OpenSearch domain encryption at rest for AWS Foundational Security Best Practices
Description:
Enabling encryption at rest for OpenSearch domains is essential for ensuring data security and compliance with AWS foundational security best practices. This ensures that data stored in the OpenSearch domain is protected from unauthorized access at rest.
Troubleshooting Steps:
If encryption at rest is not enabled for the OpenSearch domain, follow these troubleshooting steps:
- 1.Check the current configuration of the OpenSearch domain to verify if encryption at rest is enabled.
- 2.If encryption at rest is not enabled, proceed with the remediation steps outlined below.
Remediation:
To enable encryption at rest for an OpenSearch domain, follow these step-by-step guide:
- 1.Navigate to the AWS Management Console and open the Amazon OpenSearch Service.
- 2.Select the OpenSearch domain for which you want to enable encryption at rest.
- 3.Click on the "Modify domain" button to make changes to the domain configuration.
- 4.Scroll down to the "Data nodes" section.
- 5.Enable the "Encrypt data at rest" option.
- 6.Choose an existing AWS KMS key or create a new one to use for encryption.
- 7.Click on the "Submit" button to save the changes.
By following these steps, you can ensure that encryption at rest is enabled for your OpenSearch domain, improving data security and aligning with AWS foundational security best practices.