ElasticSearch Encryption With KMS Disabled

  • Query id: 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2
  • Query name: ElasticSearch Encryption With KMS Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • URL: Github

Description

Check if any ElasticSearch domain isn't encrypted with KMS.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_elasticsearch_domain" "positive1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  encrypt_at_rest {
      enabled = true
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_elasticsearch_domain" "negative1" {
  domain_name           = "example"
  elasticsearch_version = "1.5"

  encrypt_at_rest {
      enabled = true
      kms_key_id = "some-key-id"
  }
}