ES domain encryption at rest should be enabled¶

Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elasticsearch Service (AWS ES) domains.

How to fix¶

Attribute encrypt_at_rest[0].enabled of aws_elasticsearch_domain must be true.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_elasticsearch_domain.

resource "aws_elasticsearch_domain" "this" {
  advanced_security_options {
    enabled                        = true
    internal_user_database_enabled = true

    master_user_options {
      master_user_name     = "admin"
      master_user_password = "ChangeMe123!"
    }
  }

  cognito_options {
    enabled          = true
    identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
    role_arn         = "arn:aws:iam::123456789012:role/CognitoAccessForAmazonES"
    user_pool_id     = "us-east-1_Example"
  }

  domain_name = "pofix-example"

  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/domains/example"
    log_type                 = "AUDIT_LOGS"
  }

  vpc_options {
    subnet_ids = ["subnet-12345abc"]
  }

  encrypt_at_rest {
    enabled = true
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: es_domain_encryption_at_rest_enabled

• AWS Config Managed Rule: ELASTICSEARCH_ENCRYPTED_AT_REST

• Checkov Check: CKV_AWS_5

• Powerpipe Controls: aws_compliance.control.es_domain_encryption_at_rest_enabled, aws_compliance.control.opensearch_domain_encryption_at_rest_enabled