Amazon Elasticsearch Service | Security Flashcards
Will the cluster have any down time when logging is turned on or off?
Security
Amazon Elasticsearch Service | Analytics
No. There will not be any down-time. Every time the log status is updated, we will deploy a new cluster in the background and replace the existing cluster with the new one. This process will not cause any down time. However, since a new cluster is deployed the update to the log status will not be instantaneous.
How can I secure my Amazon Elasticsearch Service domain?
Security
Amazon Elasticsearch Service | Analytics
If you use VPC to secure your applications, data, and network traffic, you can set up VPC access for Amazon Elasticsearch Service, which allows you to control network access using your VPC security groups. You can also use IAM-based policies to provide fine-grained access control to which IAM roles can perform administrative tasks, use the Elasticsearch APIS and have access to the resources in the domain down to the index-level.
If you want to make your Amazon Elasticsearch Service domain accessible from the Internet, you can specify public access. With public access, you can control access to the endpoint by IP address and require authentication using IAM roles. IAM policies can control access to Amazon Elasticsearch domains and sub resources like indices within the domains.
IAM policies can also be set up to control access to the management API for operations such as creating and scaling clusters and Elasticsearch API for operations like uploading documents and executing Elasticsearch requests.
Can I encrypt my data at rest while using Amazon Elasticsearch Service?
Security
Amazon Elasticsearch Service | Analytics
Amazon Elasticsearch Service provides an option that allows you to encrypt your data using keys you manage through AWS Key Management Service (KMS). If enabled, all of your data stored at rest in the underlying storage systems are encrypted, including primary and replica indices, log files, memory swap files, and automated S3 snapshots. Amazon Elasticsearch Service handles encryption and decryption seamlessly, so you don’t have to modify your application to access your data. You can choose to enable encryption when you create new domains via the AWS Management Console or API. Amazon Elasticsearch Service can create a KMS master key for you, or you can choose one of your own. Encryption at rest supports both Amazon Elastic Block Store (EBS) and instance storage.
For more information about the use of AWS KMS with Amazon Elasticsearch Service, see the Amazon Elasticsearch Service Developer Guide. To learn more about AWS KMS, visit the web page.
How can I set up the VPC access for Amazon Elasticsearch Service?
Security
Amazon Elasticsearch Service | Analytics
You configure VPC access when creating an Amazon Elasticsearch Service domain. The VPC access can be set up via a few clicks in the console or via our CLI and APIs. For more details, see the Amazon Elasticsearch Service developer guide.
