org.sonar.l10n.py.rules.python.S6308.html Maven / Gradle / Ivy
Amazon OpenSearch Service is a managed service to host OpenSearch instances. It replaces Elasticsearch Service, which has been deprecated.
To harden domain (cluster) data in case of unauthorized access, OpenSearch provides data-at-rest encryption if the engine is OpenSearch (any
version), or Elasticsearch with a version of 5.1 or above. Enabling encryption at rest will help protect:
- indices
- logs
- swap files
- data in the application directory
- automated snapshots
Thus, adversaries cannot access the data if they gain physical access to the storage medium.
Ask Yourself Whether
- The database contains sensitive data that could cause harm when leaked.
- There are compliance requirements for the service to store data encrypted.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to encrypt OpenSearch domains that contain sensitive information.
OpenSearch handles encryption and decryption transparently, so no further modifications to the application are necessary.
Sensitive Code Example
For aws_cdk.aws_opensearchservice.Domain:
from aws_cdk.aws_opensearchservice import Domain, EngineVersion
class DomainStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
Domain(self, "Sensitive",
version=EngineVersion.OPENSEARCH_1_3
) # Sensitive, encryption is disabled by default
For aws_cdk.aws_opensearchservice.CfnDomain:
from aws_cdk.aws_opensearchservice import CfnDomain
class CfnDomainStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
CfnDomain(self, "Sensitive") # Sensitive, encryption is disabled by default
Compliant Solution
For aws_cdk.aws_opensearchservice.Domain:
from aws_cdk.aws_opensearchservice import Domain, EncryptionAtRestOptions, EngineVersion
class DomainStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
Domain(self, "Compliant",
version=EngineVersion.OPENSEARCH_1_3,
encryption_at_rest=EncryptionAtRestOptions(
enabled=True
)
)
For aws_cdk.aws_opensearchservice.CfnDomain:
from aws_cdk.aws_opensearchservice import CfnDomain
class CfnDomainStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
CfnDomain(self, "Compliant",
encryption_at_rest_options=CfnDomain.EncryptionAtRestOptionsProperty(
enabled=True
)
)
See
- AWS Documentation - Encryption of
data at rest for Amazon OpenSearch Service
- CWE - CWE-311 - Missing Encryption of Sensitive Data
- STIG Viewer - Application Security and
Development: V-222588 - The application must implement approved cryptographic mechanisms to prevent unauthorized modification of information at
rest.