Encryption of data at rest for Amazon OpenSearch Service - Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Encryption of data at rest for Amazon OpenSearch Service

OpenSearch Service domains offer encryption of data at rest, a security feature that helps prevent unauthorized access to your data. The feature uses Amazon Key Management Service (Amazon KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) to perform the encryption. If enabled, the feature encrypts the following aspects of a domain:

  • All indices (including those in UltraWarm storage)

  • OpenSearch logs

  • Swap files

  • All other data in the application directory

  • Automated snapshots

The following are not encrypted when you enable encryption of data at rest, but you can take additional steps to protect them:

  • Manual snapshots: You currently can't use Amazon KMS keys to encrypt manual snapshots. You can, however, use server-side encryption with S3-managed keys or KMS keys to encrypt the bucket you use as a snapshot repository. For instructions, see Registering a manual snapshot repository.

  • Slow logs and error logs: If you publish logs and want to encrypt them, you can encrypt their CloudWatch Logs log group using the same Amazon KMS key as the OpenSearch Service domain. For more information, see Encrypt log data in CloudWatch Logs using Amazon KMS in the Amazon CloudWatch Logs User Guide.

OpenSearch Service supports only symmetric KMS keys, not asymmetric ones. To learn how to create symmetric keys, see Creating keys in the Amazon Key Management Service Developer Guide.

Regardless of whether encryption at rest is enabled, all domains automatically encrypt custom packages using AES-256 and OpenSearch Service-managed keys.


To use the OpenSearch Service console to configure encryption of data at rest, you must have read permissions to Amazon KMS, such as the following identity-based policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:List*", "kms:Describe*" ], "Resource": "*" } ] }

If you want to use a key other than the Amazon owned key, you must also have permissions to create grants for the key. These permissions typically take the form of a resource-based policy that you specify when you create the key.

If you want to keep your key exclusive to OpenSearch Service, you can add the kms:ViaService condition to that key policy:

"Condition": { "StringEquals": { "kms:ViaService": "es.us-west-1.amazonaws.com" }, "Bool": { "kms:GrantIsForAWSResource": "true" } }

For more information, see Using key policies in Amazon KMS in the Amazon Key Management Service Developer Guide.


If you delete the key that you used to encrypt a domain, the domain becomes inaccessible. The OpenSearch Service team can't help you recover your data. Amazon KMS deletes keys only after a waiting period of at least seven days, so the OpenSearch Service team might contact you if they detect that your domain is at risk.

Enabling encryption of data at rest

Encryption of data at rest on new domains requires either OpenSearch or Elasticsearch 5.1 or later. Enabling it on existing domains requires either OpenSearch or Elasticsearch 6.7 or later.

To enable encryption of data at rest (console)

  1. Open the domain in the Amazon console, then choose Actions and Edit security configuration.

  2. Under Encryption, select Enable encryption of data at rest.

  3. Choose an Amazon KMS key to use, then choose Save changes.

You can also enable encryption through the configuration API. The following request enables encryption of data at rest on an existing domain:

{ "ClusterConfig":{ "EncryptionAtRestOptions":{ "Enabled": true, "KmsKeyId":"arn:aws:kms:us-east-1:123456789012:alias/my-key" } } }

Disabling encryption of data at rest

After you configure a domain to encrypt data at rest, you can't disable the setting. Instead, you can take a manual snapshot of the existing domain, create another domain, migrate your data, and delete the old domain.

Monitoring domains that encrypt data at rest

Domains that encrypt data at rest have two additional metrics: KMSKeyError and KMSKeyInaccessible. These metrics appear only if the domain encounters a problem with your encryption key. For full descriptions of these metrics, see Cluster metrics. You can view them using either the OpenSearch Service console or the Amazon CloudWatch console.


Each metric represents a significant problem for a domain, so we recommend that you create CloudWatch alarms for both. For more information, see Recommended CloudWatch alarms for Amazon OpenSearch Service.

Other considerations

  • Automatic key rotation preserves the properties of your Amazon KMS keys, so the rotation has no effect on your ability to access your OpenSearch data. Encrypted OpenSearch Service domains don't support manual key rotation, which involves creating a new key and updating any references to the old key. To learn more, see Rotating keys in the Amazon Key Management Service Developer Guide.

  • Certain instance types don't support encryption of data at rest. For details, see Supported instance types in Amazon OpenSearch Service.

  • Domains that encrypt data at rest use a different repository name for their automated snapshots. For more information, see Restoring snapshots.

  • Encrypting an OpenSearch Service domain requires a grant, and each encryption key has a limit of 500 grants per principal. This limit means that the maximum number of OpenSearch Service domains that you can encrypt using a single key is 500. Currently, OpenSearch Service supports a maximum of 100 domains per account (per Region), so this grant limit is of no consequence. If the domain limit per account increases, however, the grant limit might become relevant.

    If you need to encrypt more than 500 domains at that time, you can create additional keys. Keys are regional, not global, so if you operate in more than one Amazon Web Services Region, you already need multiple keys.