amplify-category-api
amplify-category-api copied to clipboard
aws-amplify
OpenSearch should use encryption at rest by default (or provide us the option to)
Is this feature request related to a new or existing Amplify category?
api
Is this related to another service?
OpenSearch
Describe the feature you'd like to request
OpenSearch has option to enable encryption at rest by default, and also enforce HTTPS but they are checked off when setup via amplify cli.
Describe the solution you'd like
Encryption at rest should be enabled by default (similar to Dynamo) as well as HTTPS constraint.
Describe alternatives you've considered
Enable it manually myself through the console.
Additional context
No response
Is this something that you'd be interested in working on?
- [ ] 👋 I may be able to implement this feature request
Would this feature include a breaking change?
- [ ] ⚠️ This feature might incur a breaking change
Hey @hisham, thank you for reaching out. On diving deeper into the OpenSearch instances, I was able to find that not all instances support encryption at rest. Please refer to document providing information on instance types: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html For example: t2.micro.search, t2.small.search, t2.medium.search: The T2 instance types do not support encryption of data at rest.
If the application utilizes a higher instance type say r4.large.search. we can utilize the API override functionality to enable encryption at rest. I was able to test this in my application using the following API override.
import { AmplifyApiGraphQlResourceStackTemplate } from '@aws-amplify/cli-extensibility-helper';
export function override(resources: AmplifyApiGraphQlResourceStackTemplate) {
resources.opensearch.OpenSearchDomain.encryptionAtRestOptions['enabled'] = true;
resources.opensearch.OpenSearchDomain.encryptionAtRestOptions['kmsKeyId'] = "<KMS ARN>";
}
enabling the feature by default, would require higher instance size which can increase cost for users.
Hey @hisham , following up on this issue. Do let us know if you require any assistance.
Hi @ykethan - my apologies for the delay. You are right that not all instances support encryption at rest. However, this is only limited to t2 instances which are deprecated and don't need to be used anymore for new setups (and old setups can easily upgrade). See https://docs.aws.amazon.com/opensearch-service/latest/developerguide/supported-instance-types.html - "OpenSearch Service offers previous generation instance types for users who have optimized their applications around them and have yet to upgrade. We encourage you to use current generation instance types to get the best performance, but we continue to support the following previous generation instance types."
t3 instance is same cost and allows encryption at rest. So this is related to https://github.com/aws-amplify/amplify-category-api/issues/900 I guess.
Hey @hisham, I have created a issue https://github.com/aws-amplify/amplify-category-api/issues/934 on providing support for .search types. The team has been notified about the deprecating instance types. Please feel free in adding any information to the issue providing your use case. I will mark this issue as feature request.
Hey @ykethan, Is there a way to pass KMS ARN created in custom resource cdk template as a parameter to override.ts
import { AmplifyApiGraphQlResourceStackTemplate } from '@aws-amplify/cli-extensibility-helper';
export function override(resources: AmplifyApiGraphQlResourceStackTemplate) {
resources.opensearch.OpenSearchDomain.encryptionAtRestOptions['enabled'] = true;
resources.opensearch.OpenSearchDomain.encryptionAtRestOptions['kmsKeyId'] = "<KMS ARN>";
}
