Ensure Elasticsearch is enforcing encryption at rest

When running AWS ES clusters, all data should be encrypted at rest. For an added layer of security a Customer Managed Key (CMK) should be leveraged vs the default key provided by AWS. For this reason it is considered a security best practice to enforce encryption at rest with a customer managed key. Ensuring this will help you with NIST, HIPPA and GDPR compliance.

Audit & Remediation



  • Select each Elasticsearch cluster and on the main tab look to validate the encryption settings.



  • If Encryption at rest is currently set to Enabled, you will see KMS master key listed just below.



  • Copy the KMS master key, then navigate to https://console.aws.amazon.com/kms.
  • Under AWS Manged Keys paste the ID of the KMS master key from what you had copied in the previous step.


See all of your AWS EC2 Instances in a single place!

Do you want to see all of your AWS EC2 Instances in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.


Other Key Features


Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.

learn more +