OpenSearch Service Domain Encryption at Rest

Overview

This check verifies that your Amazon OpenSearch Service domains have encryption at rest enabled. Encryption at rest protects data stored on disk, including indexes, swap files, and automated snapshots, using AWS Key Management Service (KMS) with AES-256 encryption.

Risk

Without encryption at rest, your OpenSearch data is vulnerable if an attacker gains access to the underlying storage or obtains automated snapshots. This could lead to:

• Data exposure: Sensitive information in your search indexes could be read by unauthorized parties
• Data tampering: Attackers could modify stored data without detection
• Compliance violations: Many regulations (HIPAA, PCI-DSS, GDPR) require encryption of data at rest

Severity: Critical

Remediation Steps

Prerequisites

• AWS account access with permissions to modify OpenSearch domains
• The domain name of the OpenSearch cluster you need to update

Important: Enabling encryption at rest on an existing domain requires a blue/green deployment, which may cause temporary performance impact. Plan this change during a maintenance window.

AWS Console Method

1. Open the Amazon OpenSearch Service console
2. In the left navigation, click Domains
3. Click on the domain name you want to update
4. Click Actions and select Edit security configuration
5. Under Encryption, find the Encryption of data at rest section
6. Check the box to Enable encryption of data at rest
7. Choose your encryption key:
   • AWS owned key: Free, managed by AWS (simplest option)
   • Customer managed key: Select a KMS key you control (more control over key policies)
8. Click Save changes

The domain will enter a processing state while encryption is enabled. This may take several minutes to complete.

AWS CLI (optional)

List your OpenSearch domains:

aws opensearch list-domain-names --region us-east-1

Check current encryption status:

aws opensearch describe-domain \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --query 'DomainStatus.EncryptionAtRestOptions'

Enable encryption at rest with AWS-managed key:

aws opensearch update-domain-config \
  --domain-name <your-domain-name> \
  --encryption-at-rest-options Enabled=true \
  --region us-east-1

Enable encryption at rest with a customer-managed KMS key:

aws opensearch update-domain-config \
  --domain-name <your-domain-name> \
  --encryption-at-rest-options Enabled=true,KmsKeyId=<your-kms-key-id> \
  --region us-east-1

Replace:

• <your-domain-name> with your OpenSearch domain name
• <your-kms-key-id> with your KMS key ID (format: 1a2a3a4a-1a2a-3a4a-5a6a-1a2a3a4a5a6a)

CloudFormation (optional)

Use this CloudFormation template to create a new OpenSearch domain with encryption at rest enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with encryption at rest enabled

Parameters:
  DomainName:
    Type: String
    Description: Name for the OpenSearch domain
    Default: my-opensearch-domain

Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: !Ref DomainName
      EngineVersion: OpenSearch_2.11
      ClusterConfig:
        InstanceType: t3.small.search
        InstanceCount: 1
      EBSOptions:
        EBSEnabled: true
        VolumeSize: 10
        VolumeType: gp3
      EncryptionAtRestOptions:
        Enabled: true
      NodeToNodeEncryptionOptions:
        Enabled: true

Outputs:
  DomainEndpoint:
    Description: OpenSearch domain endpoint
    Value: !GetAtt OpenSearchDomain.DomainEndpoint
  DomainArn:
    Description: OpenSearch domain ARN
    Value: !GetAtt OpenSearchDomain.Arn

To use a customer-managed KMS key, add the KmsKeyId property:

      EncryptionAtRestOptions:
        Enabled: true
        KmsKeyId: !Ref YourKMSKeyId

Deploy the template:

aws cloudformation create-stack \
  --stack-name opensearch-encrypted \
  --template-body file://template.yaml \
  --region us-east-1

Terraform (optional)

resource "aws_opensearch_domain" "example" {
  domain_name    = "my-opensearch-domain"
  engine_version = "OpenSearch_2.11"

  cluster_config {
    instance_type = "t3.small.search"
  }

  ebs_options {
    ebs_enabled = true
    volume_size = 10
    volume_type = "gp3"
  }

  # Enable encryption at rest
  encrypt_at_rest {
    enabled = true
  }

  # Also recommended: enable node-to-node encryption
  node_to_node_encryption {
    enabled = true
  }
}

To use a customer-managed KMS key:

  encrypt_at_rest {
    enabled    = true
    kms_key_id = aws_kms_key.opensearch.arn
  }

Verification

After enabling encryption, verify the change was applied:

1. In the OpenSearch console, click on your domain
2. Go to the Security configuration tab
3. Confirm that Encryption of data at rest shows as Enabled

CLI verification

aws opensearch describe-domain \
  --domain-name <your-domain-name> \
  --region us-east-1 \
  --query 'DomainStatus.EncryptionAtRestOptions'

Expected output:

{
    "Enabled": true,
    "KmsKeyId": "arn:aws:kms:us-east-1:123456789012:key/..."
}

Additional Resources

• Encryption of data at rest for Amazon OpenSearch Service
• AWS KMS concepts
• Amazon OpenSearch Service best practices

Notes

• Blue/green deployment: Enabling encryption on an existing domain triggers a blue/green deployment. Your domain remains available, but performance may be affected temporarily.
• Cannot be disabled: Once enabled, encryption at rest cannot be disabled on an OpenSearch domain.
• New domains: For new domains created after 2017, encryption at rest can be enabled at creation time with no performance impact.
• Customer-managed keys: Using a customer-managed KMS key gives you more control over key rotation, access policies, and audit trails. Consider this for sensitive workloads.
• Defense in depth: Combine encryption at rest with node-to-node encryption and fine-grained access control for comprehensive security.