AWS031 - Elasticsearch domain isn't encrypted at rest.

Written by tfsec

Explanation

You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.

Insecure Example

The following example will fail the AWS031 check.

resource "aws_elasticsearch_domain" "bad_example" {
  domain_name = "domain-foo"

  encrypt_at_rest {
    enabled = false
  }
}

Secure Example

The following example will pass the AWS031 check.

resource "aws_elasticsearch_domain" "good_example" {
  domain_name = "domain-foo"

  encrypt_at_rest {
    enabled = true
  }
}

Related Links

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#encrypt_at_rest

• https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html

---