Fix CRLY.01060: Encrypt Elasticsearch data at rest

[curly-review]

Issue Details

ID: CRLY.01060
Severity: HIGH
File: sam/cfn/cfn-elasticsearch-domain.json

---

Remediation Summary

Description

The security finding indicates that data stored in the Elasticsearch domain is not encrypted at rest. This poses a risk as it leaves sensitive data vulnerable to unauthorized access.

Steps

To ensure the data stored in the Elasticsearch domain is securely encrypted at rest, you need to add the EncryptionAtRestOptions property to the AWS::Elasticsearch::Domain resource in your CloudFormation template.

Here is the updated CloudFormation template snippet with the required changes:

"EsDomain": {
    "Type": "AWS::Elasticsearch::Domain",
    "Properties": {
        "AccessPolicies": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": [
                            {
                                "Ref": "AWS::AccountId"
                            }
                        ]
                    },
                    "Action": [
                        "es:*"
                    ],
                    "Resource": {
                        "Fn::Join": [
                            "",
                            [
                                "arn:aws:es:us-east-1:",
                                {
                                    "Ref": "AWS::AccountId"
                                },
                                ":domain/tailor/*"
                            ]
                        ]
                    }
                },
                {
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "*"
                    },
                    "Action": [
                        "es:*"
                    ],
                    "Resource": {
                        "Fn::Join": [
                            "",
                            [
                                "arn:aws:es:us-east-1:",
                                {
                                    "Ref": "AWS::AccountId"
                                },
                                ":domain/tailor/*"
                            ]
                        ]
                    },
                    "Condition": {
                        "IpAddress": {
                            "aws:SourceIp": "132.188.0.0/16"
                        }
                    }
                }
            ]
        },
        "AdvancedOptions": {
            "rest.action.multi.allow_explicit_index": "true"
        },
        "EBSOptions": {
            "EBSEnabled": true,
            "VolumeSize": "20",
            "VolumeType": "gp2"
        },
        "DomainName": "tailor",
        "ElasticsearchClusterConfig": {
            "InstanceCount": 2,
            "InstanceType": "t2.small.elasticsearch",
            "ZoneAwarenessEnabled": true
        },
        "ElasticsearchVersion": "5.1",
        "SnapshotOptions": {
            "AutomatedSnapshotStartHour": 0
        },
        "EncryptionAtRestOptions": {
            "Enabled": true
        },
        "Tags": [
            {
                "Key": "Name",
                "Value": "tailor-es"
            },
            {
                "Key": "app",
                "Value": "tailor"
            },
            {
                "Key": "stack",
                "Value": "prd"
            }
        ]
    }
}