Amazon Elasticsearch Service
Developer Guide (API Version 2015-01-01)

Encryption of Data at Rest for Amazon Elasticsearch Service

Amazon ES domains offer encryption of data at rest, a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (KMS) to store and manage your encryption keys. If enabled, it encrypts the following aspects of a domain:

  • Indices

  • Automated snapshots

  • Elasticsearch logs

  • Swap files

  • All other data in the application directory

The following are not encrypted when you enable encryption of data at rest, but you can take additional steps to protect them:

To learn how to create KMS master keys, see Creating Keys in the AWS Key Management Service Developer Guide.

Enabling Encryption of Data at Rest

By default, domains do not encrypt data at rest, and you can't configure existing domains to use the feature. To enable the feature, you must create another domain and migrate your data. Encryption of data at rest requires Elasticsearch 5.1 or newer.

In order to use the Amazon ES console to create a domain that encrypts data at rest, you must have read-only permissions to KMS, such as the following identity-based policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*" ], "Resource": "*" } ] }

If you want to use a key other than (Default) aws/es, you must also have permissions to create grants for the key. These permissions typically take the form of a resource-based policy that you specify when you create the key. To learn more, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.

Disabling Encryption of Data at Rest

After you configure a domain to encrypt data at rest, you can't disable the setting. Instead, you can take a manual snapshot of the existing domain, create another domain, migrate your data, and delete the old domain.

Monitoring Domains That Encrypt Data at Rest

Domains that encrypt data at rest have two additional metrics: KMSKeyError and KMSKeyInaccessible. For full descriptions of these metrics, see Cluster Metrics. You can view them using the Amazon ES console or Amazon CloudWatch.


Each metric represents a significant problem for a domain, so we recommend that you create CloudWatch alarms for both. For more information, see Recommended CloudWatch Alarms.

Other Considerations

  • If you delete the key that you used to encrypt a domain, the domain becomes inaccessible. The Amazon ES team can't help you recover your data. AWS Key Management Service deletes master keys only after a waiting period of at least seven days, so the Amazon ES team might contact you if they detect that your domain is at risk.

  • Automatic key rotation preserves the properties of your KMS master keys, so the rotation has no effect on your ability to access your Elasticsearch data. Encrypted Amazon ES domains do not support manual key rotation, which involves creating a new master key and updating any references to the old key. To learn more, see Rotating Customer Master Keys in the AWS Key Management Service Developer Guide.

  • Certain instance types do not support encryption of data at rest. For details, see Supported Instance Types.

  • Encryption of data at rest is not available in the cn-northwest-1 (Ningxia) region.

  • Kibana still works on domains that encrypt data at rest.

  • Domains that encrypt data at rest use a different repository name for their automated snapshots. To learn more, see Restoring Snapshots.

  • Encrypting an Amazon ES domain requires two grants, and each encryption key has a limit of 500 grants per principal. This limit means that the maximum number of Amazon ES domains you can encrypt using a single key is 250. At present, Amazon ES supports a maximum of 100 domains per account, so this grant limit is of no consequence. If the domain limit per account increases, however, the grant limit might become relevant.

    If you need to encrypt more than 250 domains at that time, you can create additional keys. Keys are regional, not global, so if you operate in more than one region, you already need multiple keys.