Opensearch.3: OpenSearch should encrypt node-to-node traffic

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub Opensearch.3 check?

Opensearch.3 fails when a domain does not have node-to-node encryption enabled. This is a separate layer from encryption at rest and from endpoint HTTPS — it secures the intra-cluster traffic of shard replication and query distribution between data nodes.

Why does Opensearch.3 matter?

Without node-to-node encryption, data moving between nodes inside the cluster — replicated shards and query results — crosses the network in plaintext. An attacker with a foothold on the VPC network could observe that traffic. Enabling it closes the one transport path that at-rest and endpoint encryption leave untouched.

How do I fix Opensearch.3?

Read the domain's NodeToNodeEncryptionOptions to confirm it is off.
Ensure the engine is Elasticsearch 6.0+ or any OpenSearch version, as older 5.x domains cannot support it.
Enable it with a single update-domain-config flag, expecting a no-downtime blue/green deployment that may take minutes to hours.
Add a Config rule so new domains are created with it on.

Remediation script · bash

# 1. Find unencrypted databases across engines (sample: RDS, Redshift, OpenSearch).
aws rds describe-db-instances \
  --query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier' --output text
aws redshift describe-clusters \
  --query 'Clusters[?Encrypted==`false`].ClusterIdentifier' --output text

# 2. Immutable engine (RDS): snapshot, copy WITH a KMS key, restore the new instance.
SRC=prod-orders-db; KEY=alias/db-encryption
aws rds create-db-snapshot --db-instance-identifier $SRC --db-snapshot-identifier ${SRC}-snap
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap
aws rds copy-db-snapshot \
  --source-db-snapshot-identifier ${SRC}-snap \
  --target-db-snapshot-identifier ${SRC}-snap-enc \
  --kms-key-id $KEY
aws rds wait db-snapshot-completed --db-snapshot-identifier ${SRC}-snap-enc
aws rds restore-db-instance-from-db-snapshot \
  --db-instance-identifier ${SRC}-enc --db-snapshot-identifier ${SRC}-snap-enc

# 3. In-place engine (Redshift): background migration, run in a maintenance window.
aws redshift modify-cluster --cluster-identifier analytics-prod \
  --encrypted --kms-key-id $KEY

# 4. Prevent recurrence: enforce encryption by default for new EBS-backed engines.
aws ec2 enable-ebs-encryption-by-default

Full walkthrough (console steps, edge cases and verification) in the lesson Encrypt AWS databases at rest.

Is Opensearch.3 a false positive?

Because enabling it triggers a blue/green rebuild rather than an instant toggle, teams sometimes assume the change failed when the domain shows Processing for a long time — it is working, just copying every shard across new nodes.

Full lesson Encrypt AWS databases at rest Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for Opensearch controls ↗ Check your own account for Opensearch.3 →

Part of the learning path Encrypt everything

Opensearch.1 OpenSearch domains should encrypt at rest
Opensearch.2 An OpenSearch domain is reachable from the public internet
Opensearch.4 OpenSearch error logging to CW should be enabled
Opensearch.5 OpenSearch domains should have audit logging
Opensearch.6 OpenSearch domains should have >= 3 data nodes
Opensearch.7 OpenSearch has no fine-grained access control
Opensearch.8 OpenSearch should use latest TLS policy
Opensearch.10 OpenSearch should have latest software update