Skip to main content


OpenSearch Domain should have Encryption with Customer-Managed Key Management Service (KMS) Keys


OpenSearch Domain can contain important data that should not be accessible to unauthorized users. Encrypting the data with KMS keys can provide an extra level of security to the data in OpenSearch domain.


  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select OpenSearch.
  4. Select the violating OpenSearch domain.
  5. Copy all the configurations from the violated domain.
  6. Create a new domain with same configuration with Encryption at Rest field enabled and use Key which is Customer Managed and not AWS Managed.
  7. Move data from violated OpenSearch domain to newly created domain.
  8. Delete the violated OpenSearch domain.