OpenSearch domains should have encryption at rest enabled
OpenSearch domains commonly store search indices, log aggregations, and analytics datasets containing PII, financial records, or security telemetry. Without encryption at rest, this data sits unprotected on underlying EBS volumes and in automated snapshots, exposed to physical media compromise or unauthorized storage-layer access.
Once an OpenSearch domain is created without encryption at rest, you cannot enable it retroactively. The domain must be deleted and recreated, which means reindexing all data. Enforcing this at provisioning time is far cheaper than fixing it later, particularly for domains with terabytes of indexed data and complex access policies.
Retrofit consideration
Encryption at rest cannot be enabled on an existing OpenSearch domain. You must delete and recreate it, which means reindexing all data. Plan for downtime, snapshot-based migration, and updated domain endpoint references across every consumer.
Implementation
Choose the approach that matches how you manage Terraform.
This control is enforced automatically with Compliance.tf modules. Start free trial
If you use terraform-aws-modules/opensearch/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.
In the aws_opensearch_domain resource, an encrypt_at_rest block must be present with enabled set to true. It fails if the block is omitted or if enabled is false. The optional kms_key_id argument takes a customer-managed KMS key ARN; without it, the domain uses the AWS-managed aws/es key. The control does not require a specific key type, only that encryption is active. Teams migrating from the deprecated aws_elasticsearch_domain resource will find the same block structure applies, but switching to aws_opensearch_domain is recommended.
Common pitfalls
Immutable setting requires domain recreation
Add encrypt_at_rest { enabled = true } to an existing aws_opensearch_domain that was created without it and Terraform will plan a destroy-and-recreate, meaning full data loss unless you snapshot first. This is an immutable property with no in-place upgrade path. Always check terraform plan for forces replacement before applying to any live domain.
Unsupported instance types
t2 instances don't support encryption at rest. Setting instance_type to any t2.* variant (e.g., t2.small.search) causes domain creation to fail even with encrypt_at_rest { enabled = true } in the config. Use t3 or a newer instance family.
KMS key policy must grant OpenSearch access
When specifying a customer-managed key via kms_key_id, the key policy must allow kms:Decrypt, kms:GenerateDataKey, kms:DescribeKey, and kms:CreateGrant for OpenSearch usage. Depending on your policy design, grant these to the OpenSearch service principal (es.amazonaws.com), the service-linked role (AWSServiceRoleForAmazonOpenSearchService), or both. A missing permission fails domain creation with a generic KMS error that doesn't identify which action is blocked.
Legacy aws_elasticsearch_domain resource
The deprecated aws_elasticsearch_domain resource uses the same encrypt_at_rest block, but migrating to aws_opensearch_domain requires a state move (terraform state mv) to avoid triggering an unintended destroy-create cycle. Plan the resource migration and encryption enforcement together rather than tackling them separately.
Audit evidence
An auditor expects Config rule results for the managed rule OPENSEARCH_ENCRYPTED_AT_REST showing compliant evaluations across all OpenSearch domains. Also useful: the OpenSearch domain configuration page in the AWS Console showing 'Encryption at rest: Enabled' with the associated KMS key ARN, or the output of aws opensearch describe-domain --domain-name <name> confirming EncryptionAtRestOptions.Enabled is true.
CloudTrail logs for CreateDomain and UpdateDomainConfig API calls show that encryption was specified at creation time and has not been altered. Historical pass results from Security Hub or a CSPM tool add a continuous-compliance signal to the evidence package.
Framework-specific interpretation
PCI DSS v4.0: Requirement 3.4 says PAN must be unreadable wherever it's stored; Requirement 3.5 covers cryptographic key protection. For OpenSearch domains that may index cardholder data, encryption at rest helps address the storage-layer piece of both requirements, though key management practices under 3.5 need separate attention.
HIPAA Omnibus Rule 2013: 45 CFR 164.312(a)(2)(iv) lists encryption as an addressable specification under the technical safeguard standard. For OpenSearch domains indexing or analyzing health data, enabling encryption at rest satisfies this specification. KMS-backed keys also provide the access controls and audit trail HIPAA auditors expect to see.
ISO/IEC 27001:2022: A.8.24 expects a policy on cryptographic controls and evidence that it's applied. Encrypting OpenSearch domains at rest is what auditors check against this control during certification assessments, confirming that cryptographic protection extends to data stores.
GDPR: Article 32 doesn't mandate encryption by name, but it requires 'appropriate technical measures' proportionate to the risk. For OpenSearch domains indexing personal data of EU residents, encrypting at rest limits exposure from a storage-layer breach and gives the controller something concrete to point to when demonstrating compliance.
NIST SP 800-53 Rev 5: SC-28 requires confidentiality and integrity protections for data at rest using cryptographic mechanisms. KMS-backed OpenSearch encryption implements this control directly.
NIST Cybersecurity Framework v2.0: PR.DS in the CSF Protect function covers data security. Encrypting OpenSearch storage prevents unauthorized disclosure if the underlying media is compromised or improperly decommissioned.
FedRAMP Moderate Baseline Rev 4: At the Moderate baseline, SC-28 applies to any system processing federal information, including OpenSearch domains. FedRAMP Moderate inherits this from the NIST SP 800-53 Rev.4 control set, and KMS-backed encryption is how this control is typically met.
