Posted On: Dec 16, 2019

We are pleased to announce Amazon Elasticsearch Service now supports encryption at rest through Amazon Key Management Service (KMS) and node-to-node encryption, enabling organizations to host sensitive workloads with stringent security and compliance requirements. 

On an Amazon Elasticsearch Service domain with encryption at rest enabled, all data stored on the underlying file systems are encrypted, including primary and replica indices, log files, memory swap files, and automated snapshots. Amazon Elasticsearch Service handles encryption and decryption seamlessly, so you don’t have to modify your application to access your data. Amazon Elasticsearch Service can create a KMS master key for you, or you can choose one of your own. Encryption at rest supports both Amazon Elastic Block Store (EBS) and instance storage. 

Node-to-node encryption provides an additional layer of security by implementing Transport Layer Security (TLS) for all communications between Elasticsearch nodes in the cluster. It ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS remains encrypted while Elasticsearch distributes and replicates it between the nodes. All certificates are deployed and rotated automatically by the service throughout the life of the domain, without any additional operational overhead. 

For more information on these features and how to enable them on new domains, please refer to our documentation