OpenSearch Node-to-Node Encryption

Overview

This check verifies that your Amazon OpenSearch Service domains have node-to-node encryption enabled. Node-to-node encryption uses TLS to protect traffic between the nodes (servers) within your OpenSearch cluster.

Risk

Without node-to-node encryption, data traveling between cluster nodes is unprotected. An attacker with network access could:

• Intercept sensitive data including documents, search queries, and credentials
• Tamper with data being replicated between nodes
• Disrupt service by manipulating node-to-node communications

Enabling this encryption ensures all internal cluster traffic is protected.

Remediation Steps

Prerequisites

• AWS account access with permissions to modify OpenSearch domains
• The name of the OpenSearch domain you want to update

AWS Console Method

1. Sign in to the AWS Console and navigate to Amazon OpenSearch Service
2. In the left navigation, click Domains
3. Click on the name of the domain you want to update
4. Click the Actions button, then select Edit security configuration
5. Under Encryption, find Node-to-node encryption and check the box to enable it
6. Scroll down and click Save changes

Note: Enabling node-to-node encryption may cause the domain to enter a processing state while the change is applied. This typically takes several minutes.

AWS CLI (optional)

Enable node-to-node encryption on an existing domain:

aws opensearch update-domain-config \
    --domain-name <your-domain-name> \
    --node-to-node-encryption-options Enabled=true \
    --region us-east-1

Replace <your-domain-name> with your actual OpenSearch domain name.

Check current encryption status:

aws opensearch describe-domain \
    --domain-name <your-domain-name> \
    --region us-east-1 \
    --query 'DomainStatus.NodeToNodeEncryptionOptions'

Expected output when enabled:

{
    "Enabled": true
}

CloudFormation (optional)

Use the NodeToNodeEncryptionOptions property in your AWS::OpenSearchService::Domain resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with node-to-node encryption enabled

Parameters:
  DomainName:
    Type: String
    Description: Name for the OpenSearch domain
    MinLength: 3
    MaxLength: 28
    AllowedPattern: '[a-z][a-z0-9\\-]+'

Resources:
  OpenSearchDomain:
    Type: AWS::OpenSearchService::Domain
    Properties:
      DomainName: !Ref DomainName
      EngineVersion: OpenSearch_2.11
      ClusterConfig:
        InstanceType: t3.small.search
        InstanceCount: 1
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp3
        VolumeSize: 10
      NodeToNodeEncryptionOptions:
        Enabled: true
      EncryptionAtRestOptions:
        Enabled: true

Outputs:
  DomainEndpoint:
    Description: OpenSearch domain endpoint
    Value: !GetAtt OpenSearchDomain.DomainEndpoint
  DomainArn:
    Description: OpenSearch domain ARN
    Value: !GetAtt OpenSearchDomain.DomainArn

Deploy with:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name my-opensearch-stack \
    --parameter-overrides DomainName=my-secure-domain \
    --region us-east-1

Terraform (optional)

Use the node_to_node_encryption block in your aws_opensearch_domain resource:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "domain_name" {
  description = "Name of the OpenSearch domain"
  type        = string
}

resource "aws_opensearch_domain" "example" {
  domain_name    = var.domain_name
  engine_version = "OpenSearch_2.11"

  cluster_config {
    instance_type  = "t3.small.search"
    instance_count = 1
  }

  ebs_options {
    ebs_enabled = true
    volume_type = "gp3"
    volume_size = 10
  }

  node_to_node_encryption {
    enabled = true
  }

  encrypt_at_rest {
    enabled = true
  }
}

output "domain_endpoint" {
  description = "OpenSearch domain endpoint"
  value       = aws_opensearch_domain.example.endpoint
}

output "domain_arn" {
  description = "OpenSearch domain ARN"
  value       = aws_opensearch_domain.example.arn
}

Apply with:

terraform init
terraform apply -var="domain_name=my-secure-domain"

Verification

After enabling node-to-node encryption, verify the change:

1. In the AWS Console, go to Amazon OpenSearch Service > Domains
2. Click on your domain name
3. Under the General information or Security configuration tab, confirm that Node-to-node encryption shows as Enabled

CLI verification

aws opensearch describe-domain \
    --domain-name <your-domain-name> \
    --region us-east-1 \
    --query 'DomainStatus.NodeToNodeEncryptionOptions.Enabled'

This should return true.

Additional Resources

• AWS Documentation: Node-to-node encryption for Amazon OpenSearch Service
• AWS Documentation: Encryption in Amazon OpenSearch Service
• AWS Security Best Practices for OpenSearch Service

Notes

• New domains: For new OpenSearch domains, enable node-to-node encryption at creation time for best results.
• Existing domains: You can enable node-to-node encryption on existing domains, but the domain will enter a processing state during the update.
• Encryption at rest: Consider also enabling encryption at rest for comprehensive data protection. Both are recommended security best practices.
• No performance impact: Node-to-node encryption has minimal performance overhead on modern instance types.
• Cannot be disabled: Once enabled on a domain, node-to-node encryption cannot be disabled.