Elasticsearch domain isn’t encrypted at rest.
Explanation
You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users.
Insecure Example
The following example will fail the AWS031 check.
resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
domain_name = "domain-foo"
encrypt_at_rest {
enabled = false
}
}
Secure Example
The following example will pass the AWS031 check.
resource "aws_elasticsearch_domain" "my_elasticsearch_domain" {
domain_name = "domain-foo"
encrypt_at_rest {
enabled = true
}
}