Posted On: Jan 27, 2021
Amazon Elasticsearch Service now supports encryption of data at rest and node-to-node encryption on existing domains, enabling organizations hosting sensitive workloads to meet stringent security and compliance requirements.
Amazon Elasticsearch Service allows you to encrypt your data using keys that can be managed using Amazon Key Management Service (KMS). You can choose to bring your own master key or leverage the one provided by the service. On an Amazon Elasticsearch Service domain with encryption enabled, all data stored on the underlying file systems are encrypted, including primary and replica indices, log files, memory swap files, and automated Amazon S3 snapshots. Encryption at rest supports both Amazon Elastic Block Store (EBS) and instance storage.
The node-to-node encryption capability provides an additional layer of security by implementing Transport Layer Security (TLS) for all communications between Amazon Elasticsearch Service instances in a cluster. This ensures that any data you send to your Amazon Elasticsearch Service domain over HTTPS remains encrypted in-flight while it is being distributed and replicated between the nodes. The lifecycle of the TLS certificates is managed by the service throughout the life of the domain, without any additional operational overhead.
Encryption of data at rest and node-to-node encryption are supported on all domains starting Elasticsearch version 6.7. For more information on configuring and using encryption of data at rest with Amazon KMS, please see documentation. To learn more about Amazon KMS, visit the Amazon KMS overview page. For more information on configuring and using node-to-node encryption, please see documentation.
Encryption of data and node-to-node encryption are now available for Amazon Elasticsearch Service domains in Amazon Web Services China (Beijing) region, operated by Sinnet and Amazon Web Services China (Ningxia) region, operated by NWCD.