05 - Elasticsearch Encrypted with KMS CMK

Ensure Elasticsearch is enforcing encryption at rest

When running AWS ES clusters, all data should be encrypted at rest. For an added layer of security a Customer Managed Key (CMK) should be leveraged vs the default key provided by AWS. For this reason it is considered a security best practice to enforce encryption at rest with a customer managed key. Ensuring this will help you with NIST, HIPPA and GDPR compliance.

Audit & Remediation

Login into your AWS account
Navigate to the Elasticsearch service at: https://console.aws.amazon.com/es

Select each Elasticsearch cluster and on the main tab look to validate the encryption settings.

If Encryption at rest is currently set to Enabled, you will see KMS master key listed just below.

Copy the KMS master key, then navigate to https://console.aws.amazon.com/kms.
Under AWS Manged Keys paste the ID of the KMS master key from what you had copied in the previous step.

If this key was found and the alias is listed as aws/es then you are using the default master key from AWS for Elasticsearch.
In order to change this feature you will be required to do a manual snapshot of the Elasticsearch domain and restore a to a new Elasticsearch domain.
Follow directions located here in order to perform the recreation fo the Elasticsearch domain. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains-snapshots.html

See all of your AWS EC2 Instances in a single place!

Do you want to see all of your AWS EC2 Instances in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.