AWS OpenSearch created with insufficient encryption settings
Description
AlphaSOC detected that an AWS OpenSearch domain was created without proper encryption settings. This configuration may expose sensitive data to potential unauthorized access and security risks.
Impact
Threat actors can exploit unencrypted or weakly encrypted AWS OpenSearch domains to access sensitive information stored within your search clusters. This may result in data breaches, regulatory compliance violations, and reputational damage. Adversaries could potentially intercept data transmissions or access stored data if encryption at rest is not enabled.
Severity
| Severity | Condition |
|---|---|
Low | AWS OpenSearch created with insufficient encryption settings |
Investigation and Remediation
Begin by reviewing the AWS OpenSearch domain configuration in CloudTrail logs to verify the encryption settings and determine if the domain was created by an authorized user. If the creation was unauthorized, immediately disable the IAM credentials used, investigate the scope of compromise, and review CloudTrail logs for other suspicious activities.
If the domain creation was authorized but lacks proper encryption, immediately update the domain to enable encryption at rest and enforce HTTPS for all endpoints. Additionally, audit all existing OpenSearch domains to identify and remediate any other instances with insufficient encryption.