Skip to main content
emnode / learn
Compliance Medium severity

AWS Security Hub · Opensearch

Opensearch.1: OpenSearch domains should encrypt at rest

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Opensearch.1 check?

Opensearch.1 fails when a domain does not have encryption at rest enabled. The control reads the domain's EncryptionAtRestOptions; a domain whose data, automated snapshots, and logs are not encrypted with a KMS key reports FAILED.

Why does Opensearch.1 matter?

Encryption at rest protects the indexed data on the underlying EBS volumes and in automated snapshots against media-level or backup exposure, and it is a baseline expectation for any auditor reviewing a data store. Because OpenSearch domains often hold logs and operational data laced with PII, an unencrypted volume is a quiet compliance and breach-notification liability.

How do I fix Opensearch.1?

  1. List domains and check EncryptionAtRestOptions to find the unencrypted ones.
  2. Confirm UltraWarm and cold storage are off and the engine is OpenSearch or Elasticsearch 6.7+, both required before you can enable it.
  3. Enable encryption at rest with update-domain-config, choosing an AWS-owned or customer-managed KMS key.
  4. Set a Config rule so every new domain is created encrypted.

Remediation script · bash

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.

Is Opensearch.1 a false positive?

Encryption at rest is a one-way door — once enabled it cannot be disabled, so teams hesitating to 'try it' should know the only way back is a snapshot-and-migrate to a new domain.

Full lesson Encrypt AWS databases at rest Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Opensearch controls ↗ Check your own account for Opensearch.1 →
Part of the learning path Encrypt everything

More Opensearch controls

  • Opensearch.2 An OpenSearch domain is reachable from the public internet
  • Opensearch.3 OpenSearch should encrypt node-to-node traffic
  • Opensearch.4 OpenSearch error logging to CW should be enabled
  • Opensearch.5 OpenSearch domains should have audit logging
  • Opensearch.6 OpenSearch domains should have >= 3 data nodes
  • Opensearch.7 OpenSearch has no fine-grained access control
  • Opensearch.8 OpenSearch should use latest TLS policy
  • Opensearch.10 OpenSearch should have latest software update