Amazon ElasticSearch

ElasticSearch Domains Not Encrypted

This plugin ensures ElasticSearch domains are encrypted with KMS keys

Risk Level: Medium

Description

This plugin ensures ElasticSearch domains are encrypted with KMS keys. ElasticSearch Domains are used to query and visualize unstructured data. The domains must be encrypted to ensure data at rest is secured and not prone to any database query attacks.

About the Service

Amazon OpenSearch: With Amazon OpenSearch, one can analyze, query and visualize petabytes of text and unstructured data. It makes the complex process of performing interactive log analytics, real-time application monitoring, website search, an easy process. Apart from this, Amazon OpenSearch also provides the possibility to capture observability logs and metrics. 

Impact

It is recommended to enable encryption at rest for OpenSearch domains. In absence of proper encryption, the domain data such as log analytics, monitoring data will be completely visible to the attacker if compromised.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon OpenSearch Console. You can use this link (https://console.aws.amazon.com/esv3/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Domains from the left panel.
  4. A list of domains will be displayed. Select the domain you want to examine by clicking on it’s name.
  5. Move to the Security Configurations tab.
  6. In the Encryption section, check if Encryption at rest is enabled. If not, the vulnerability exists.
  7. Repeat steps 3 to 6 for all the domains you wish to examine.

Steps for Remediation

Ensure encryption-at-rest is enabled for all ElasticSearch domains.

  1. Log In to your AWS Console.
  2. Open the Amazon OpenSearch Console. You can use this link (https://console.aws.amazon.com/esv3/) to navigate directly if already logged in. 
  3. From the left navigation pane, click on Domains from the left panel.
  4. A list of domains will be displayed. Select the vulnerable domain by clicking on its name.
  5. Move to the Security Configurations tab.
  6. Click on the Edit button from the top-right corner.
  7. Enable Encryption at rest option.
  8. Repeat steps 3 to 7 for all the insecure domains.