EncryptionAtRestOptions

class aws_cdk.aws_opensearchservice.EncryptionAtRestOptions(*, enabled=None, kms_key=None)

Bases: object

Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS) key to use.

Can only be used to create a new domain, not update an existing one. Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.

Parameters
  • enabled (Optional[bool]) – Specify true to enable encryption at rest. Default: - encryption at rest is disabled.

  • kms_key (Optional[IKey]) – Supply if using KMS key for encryption at rest. Default: - uses default aws/es KMS key.

ExampleMetadata

infused

Example:

domain = Domain(self, "Domain",
    version=EngineVersion.OPENSEARCH_1_0,
    enforce_https=True,
    node_to_node_encryption=True,
    encryption_at_rest=EncryptionAtRestOptions(
        enabled=True
    ),
    fine_grained_access_control=AdvancedSecurityOptions(
        master_user_name="master-user"
    ),
    logging=LoggingOptions(
        audit_log_enabled=True,
        slow_search_log_enabled=True,
        app_log_enabled=True,
        slow_index_log_enabled=True
    )
)

Attributes

enabled

Specify true to enable encryption at rest.

Default
  • encryption at rest is disabled.

Return type

Optional[bool]

kms_key

Supply if using KMS key for encryption at rest.

Default
  • uses default aws/es KMS key.

Return type

Optional[IKey]