When sensitive data is stored in an OpenSearch domain, it is important to encrypt that data at rest to prevent unauthorized access. OpenSearch provides the ability to encrypt data at rest using KMS-managed keys. This ensures that the data is protected even if someone gains physical access to the underlying storage. Therefore, ensuring OpenSearch data at rest encryption is enabled is an important security best practice.


To ensure OpenSearch data at rest encryption is enabled, you can follow these remediation steps:

  1. Open the Amazon OpenSearch Service console.
  2. In the left navigation pane, click on the "Domains" link.
  3. Click on the name of the domain for which you want to enable encryption.
  4. In the "Encryption" section, click on the "Edit" button.
  5. In the "Encryption" dialog box, select the "Enable encryption of data at rest" checkbox.
  6. Select the appropriate KMS master key from the "Select KMS master key" dropdown menu.
  7. Click on the "Save changes" button to enable data at rest encryption.
Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.