Link Search Menu Expand Document

Elasticsearch domain isn’t encrypted at rest.

Explanation

You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.

Insecure Example

The following example will fail the AWS031 check.

resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
  domain_name = "domain-foo"

  encrypt_at_rest {
    enabled = false
  }
}

Secure Example

The following example will pass the AWS031 check.

resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
  domain_name = "domain-foo"

  encrypt_at_rest {
    enabled = true
  }
}