Elasticsearch domain node-to-node encryption should be enabled¶

Ensure node-to-node encryption for AWS Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the AWS Virtual Private Cloud (AWS VPC).

How to fix¶

Attribute node_to_node_encryption[0].enabled of aws_elasticsearch_domain must be true.

Implementation options¶

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Terraform AWS provider resources¶

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_elasticsearch_domain.

resource "aws_elasticsearch_domain" "this" {
  advanced_security_options {
    enabled                        = true
    internal_user_database_enabled = true

    master_user_options {
      master_user_name     = "admin"
      master_user_password = "ChangeMe123!"
    }
  }

  cognito_options {
    enabled          = true
    identity_pool_id = "us-east-1:12345678-1234-1234-1234-123456789012"
    role_arn         = "arn:aws:iam::123456789012:role/CognitoAccessForAmazonES"
    user_pool_id     = "us-east-1_Example"
  }

  domain_name = "pofix-example"

  log_publishing_options {
    cloudwatch_log_group_arn = "arn:aws:logs:us-east-1:123456789012:log-group:/aws/elasticsearch/domains/example"
    log_type                 = "AUDIT_LOGS"
  }

  vpc_options {
    subnet_ids = ["subnet-12345abc"]
  }

  node_to_node_encryption {
    enabled = true
  }
}

Tool mappings¶

Use these identifiers to cross-reference this control across tools, reports, and evidence.

• Compliance.tf (CTF) Control: es_domain_node_to_node_encryption_enabled

• AWS Config Managed Rule: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK

• Checkov Check: CKV_AWS_6

• Powerpipe Controls: aws_compliance.control.es_domain_node_to_node_encryption_enabled, aws_compliance.control.opensearch_domain_node_to_node_encryption_enabled