Ensure OpenSearch Domains are Encrypted at Rest

Checks if OpenSearch domains are configured with encryption at rest to protect sensitive data, ensuring compliance with PCI DSS and NIST standards.

Rule	OpenSearch domains should have encryption at rest enabled
Framework	PCI v3.2.1
Severity	✔ Medium

Rule Description:

Ensuring that OpenSearch domains have encryption at rest enabled is essential for compliance with PCI v3 standards. Encryption at rest helps protect sensitive data stored in the OpenSearch domain from unauthorized access and ensures data security and privacy.

Troubleshooting Steps:

If encryption at rest is not enabled for the OpenSearch domain, follow these steps to troubleshoot and enable it:

1.
Check the current settings of the OpenSearch domain to verify if encryption at rest is enabled.

2.
Update the domain configuration to enable encryption at rest if it is not already enabled.

3.
Verify that the encryption at rest settings are properly applied and working as expected.

Necessary Codes:

If encryption at rest is not enabled, use the following AWS CLI command to update the OpenSearch domain configuration and enable encryption at rest:

aws opensearch update-domain-config --domain-name <domain-name> --advanced-security-options Enabled=true,InternalUserDatabaseEnabled=true,NodeToNodeEncryptionOptions={Enabled=true},EncryptionAtRestOptions={Enabled=true}

Replace

<domain-name>

with the actual name of your OpenSearch domain.

Step-by-Step Guide for Remediation:

1.
Open the AWS CLI or terminal with appropriate access rights.

2.
Run the AWS CLI command mentioned above with the appropriate domain name to enable encryption at rest for the OpenSearch domain.

3.
Monitor the domain configuration changes to ensure that encryption at rest is successfully enabled.

4.
Validate the encryption at rest settings in the OpenSearch domain to confirm that sensitive data is protected in compliance with PCI v3 standards.

By following these steps and using the provided AWS CLI command, you can ensure that encryption at rest is enabled for OpenSearch domains, meeting the security requirements for PCI v3 compliance.

Ensure OpenSearch Domains are Encrypted at Rest

.css-rso7cu{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#01130E;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-rso7cu{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#01130E;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes:

.css-rso7cu{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#01130E;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps:

Necessary Codes:

Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now