Identify Unencrypted AWS Resources using Cloud Custodian

Identify and remediate your unencrypted AWS resources

Cloud Custodian is an open-source tool that allows you to identify the resources that were left unencrypted. It is very important to understand the working mechanics of every resource to make sure you use them appropriately, configure them correctly, and protect the data while in transit and at rest. Cloud Custodian supports several action items for different resources. We have provided few examples of Cloud Custodian Policies to identify the unencrypted resources.

Example#1: Elasticsearch Encryption is Not Enabled

policies:
- name: elasticsearch-domainendpoint-intransit-encryption
  resource: aws.elasticsearch
  comment: |
    For Domain Endpoint, it will identify all traffic (in-transit)to 
    the domain that are not going over HTTPS.This means EnforceHTTPS 
    value is False.
  filters:
    — type: value 
      key: EnforceHTTPS
      value: false
  mode:
    schedule: “rate(24 hours)”
    type: periodic
    execution-options:
      output_dir: s3://s3bucket/path/{account_id}/
    runtime: python3.8

Example#2: Elasticsearch Node 2 Node Encryption is Not Enabled

policies:
- name: elasticsearch-node2node-encryption-not-enabled
  resource: aws.elasticsearch
  comment: |
    Identify if…