Amazon Elasticsearch Service (ES) is a managed service to host Elasticsearch instances.

To harden domain (cluster) data in case of unauthorized access, ES provides data-at-rest encryption if the Elasticsearch version is 5.1 or above. Enabling encryption at rest will help protect:

• indices
• logs
• swap files
• data in the application directory
• automated snapshots

Thus, if adversaries gain physical access to the storage medium, they cannot access the data.

Ask Yourself Whether

• The database contains sensitive data that could cause harm when leaked.
• There are compliance requirements for the service to store data encrypted.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to encrypt Elasticsearch domains that contain sensitive information.

Encryption and decryption are handled transparently by ES, so no further modifications to the application are necessary.

Sensitive Code Example

For AWS::Elasticsearch::Domain:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Elasticsearch:
    Type: AWS::Elasticsearch::Domain
    Properties:
      EncryptionAtRestOptions:
        Enabled: false  # Sensitive, disabled by default

Compliant Solution

For AWS::Elasticsearch::Domain:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  Elasticsearch:
    Type: AWS::Elasticsearch::Domain
    Properties:
      EncryptionAtRestOptions:
        Enabled: true

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A4 - Insecure Design
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• AWS Documentation - Encryption of data at rest for Amazon Elasticsearch Service
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• MITRE, CWE-311 - Missing Encryption of Sensitive Data