Amazon ElasticSearch
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon ElasticSearch

      ElasticSearch Node To Node Encryption Disabled

      This plugin ensures ElasticSearch domain traffic is encrypted in transit between nodes

      Risk Level: Medium

      Description

      This plugin ensures ElasticSearch domain traffic is encrypted in transit between nodes. The domains must be encrypted to ensure data at transit is secured and not prone to any database query attacks. Node-to-node encryption enables encryption in transit as all the communications within that VPC are carried out with TLS encryption.

      About the Service

      Amazon OpenSearch: With Amazon OpenSearch, one can analyze, query and visualize petabytes of text and unstructured data. It makes the complex process of performing interactive log analytics, real-time application monitoring, website search, an easy process. Apart from this, Amazon OpenSearch also provides the possibility to capture observability logs and metrics. 

      Impact

      This setting provides an additional layer of security.After you enable node-to-node encryption, you can't disable it. It requires Elasticsearch version 6.7 and above.

      It is recommended to enable encryption at transit for OpenSearch domains in the form of node-to-node encryption. In absence of proper encryption, the domain data such as log analytics, monitoring data will be completely visible to the attacker if compromised during the data transfer process.

      Steps to Reproduce

      Using AWS Console-

      1. Log In to your AWS Console.
      2. Open the Amazon OpenSearch Console. You can use this link (https://console.aws.amazon.com/esv3/) to navigate directly if already logged in. 
      3. From the left navigation pane, click on Domains from the left panel.
      4. A list of domains will be displayed. Select the domain you want to examine by clicking on it’s name.
      5. Move to the Security Configurations tab.
      6. In the Encryption section, check if Node-to-node Encryption is enabled. If not, the vulnerability exists.
      7. Repeat steps 3 to 6 for all the domains you wish to examine.

      Steps for Remediation

      Ensure encryption-at-rest is enabled for all ElasticSearch domains.

      1. Log In to your AWS Console.
      2. Open the Amazon OpenSearch Console. You can use this link (https://console.aws.amazon.com/esv3/) to navigate directly if already logged in. 
      3. From the left navigation pane, click on Domains from the left panel.
      4. A list of domains will be displayed. Select the vulnerable domain by clicking on it’s name.
      5. Move to the Security Configurations tab.
      6. Click on the Edit button from the top-right corner.
      7. Scroll down and enable the Node-to-node Encryption option by clicking on the checkbox next to it.
      8. Repeat steps 3 to 7 for all the insecure domains.