How to properly encrypt Elasticsearch instance with KMS


I will use my Rails/Mysql/Elasticsearch for processing some sensitive data, so I want to encrypt my data at rest.

It is clear to me that I can use AWS KMS to encrypt data in Mysql. It’s important for me that this encryption is transparent for my application.

But now I’m concerned about indexes and data gathered by Elasticsearch. Is there a similar way to transparently encrypt data there?

I am interested in solutions both for Elasticsearch-as-an-application as well as AWS Elasticsearch-as-service as I have not decided what I’ll be using.


As I mentioned in the answer to your previous question, AWS does not support encryption-at-rest for the ElasticSearch service at this time. For encryption-in-transit you can use HTTPS connections, as per the AWS Support response to this question:

You can use https for encrypted communication with your domain.

Communication between nodes is not encrypted. The nodes themselves are
hosted within our VPC, and all communication between nodes remains
within it.

If you need encryption-at-rest for ElasticSearch, you will have to setup your own ElasticSearch cluster on EC2 instances, and use encrypted EBS volumes.

Leave a Reply