Skip to main content

ElasticSearch should use node-to-node encryption

  • GG_ID: GG_IAC_0045
  • Severity: HIGH
  • Complexity: HIGH
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: True


Amazon Elasticsearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis.

Node-to-node encryption provides an additional layer of security on top of the default features of Amazon Elasticsearch Service. It helps ensure that data remains encrypted as Elasticsearch distributes (and redistributes) it throughout the cluster.


If an attacker gets access to the VPC containing the Elasticsearch cluster, they could read the transiting data.

Remediation guidelines#

Enable node-to-node encryption for Elasticsearch. Enabling node-to-node encryption in place for an existing, unencrypted domain requires Elasticsearch version 6.7 or higher. For lower versions, the domain will be recreated, potentially leading to data loss. Enabling node-to-node encryption on new domains requires Elasticsearch version 6.0 or higher.

External documentation#