Amazon OpenSearch Service is a managed service to host OpenSearch instances. It replaces Elasticsearch Service, which has been deprecated.

To harden domain (cluster) data in case of unauthorized access, OpenSearch provides data-at-rest encryption if the engine is OpenSearch (any version), or Elasticsearch with a version of 5.1 or above. Enabling encryption at rest will help protect:

Thus, adversaries cannot access the data if they gain physical access to the storage medium.

Why is this an issue?

OpenSearch domains store indexed data that may contain sensitive information. Without encryption at rest, this data is stored in plain text and can be accessed by anyone with physical or administrative access to the underlying storage. This rule detects OpenSearch domain configurations where encryption at rest is disabled or not explicitly enabled.

What is the potential impact?

Disabling encryption at rest leaves stored data vulnerable if the storage medium is compromised.

Unauthorized access to sensitive data

An attacker who gains physical access to the storage medium, or unauthorized administrative access, can read all indexed data in plain text. This may include sensitive business data, personal information, or credentials that can be exploited for further attacks or cause regulatory compliance failures.

How to fix it

Enable encryption at rest by setting EncryptionAtRestOptions.Enabled to true.

Code examples

Noncompliant code example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  OpenSearchServiceDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      EncryptionAtRestOptions:
        Enabled: false  # Noncompliant: disabled by default

Compliant solution

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  OpenSearchServiceDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      EncryptionAtRestOptions:
        Enabled: true

Resources

Documentation

Standards