Reputation: 1024
Encryption at Rest: AWS Elasticsearch
I'm trying to use AWS Elasticsearch with "Encrytion at Rest". I configured this setting while creating the Elasticsearch domain in Elasticsearch services in AWS.
Lets consider there are two users named A and B. I have created the KMS access policy where
User A is having permission to perform both es:* and kms:* actions
User B is having permission to perform only es:,but not kms: actions.
Here, When ES Client is performing indexing and search some data as User A, Then it works. When ES Client is performing indexing and search some data as User B, Then also it works. But I expect this to fail as User B don't have access to kms:encrypt or kms:decrypt and other kms actions.
Any leads would be greatly appreciated.
Upvotes: 3
Views: 846
Answers (1)
Reputation: 890
The "Encryption at Rest" is more of a systemic feature than a user-based one. The IAM Role used for Encryption at Rest applies more to the Service and is not meant to be used as an access control for users.
Hope this clears up the confusion here.
Upvotes: 3
Related Questions
- AWS cloudformation elasticsearch encryption at rest (KMS encryption)
- secure Elasticsearch without SSL
- How to secure elasticsearch API's
- Elasticsearch: Data Encryption at Rest
- How the ElasticSearch works when the data is encrypted at rest
- How to encrypt index data in Elastic Search?
- How to properly encrypt Elasticsearch instance with KMS
- Data encryption at REST on aws EBS
- Searching against secured AWS ElasticSearch
- amazon server side encryption with post request