New rule on Amazon Elasticsearch Service (Amazon ES) domains to check if node to node encryption is enabled.

[shikharj05]

New rule on Amazon Elasticsearch Service (Amazon ES) domains to check if node to node encryption is enabled (ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK). Please provide comments on the gherkin if any.

---

Description: Checks whether Amazon Elasticsearch Service (Amazon ES) domains have node to node encryption configuration enabled. The rule is NON_COMPLIANT if node to node encryption is not enabled. Trigger: Periodic Reports on: AWS::Elasticsearch::Domain Rule Parameters: None

Scenarios:
  Scenario: 1
     Given: No Amazon Elasticsearch Service (Amazon ES) domains are present in a region for an account.
      Then: Return NOT_APPLICABLE
  Scenario: 2
     Given: At least one ElasticSearch Domain is present 
       And: NodeToNodeEncryptionOptions field set as Enabled:true.
      Then: Return COMPLIANT
  Scenario: 3
     Given: At least one ElasticSearch Domain is present
       And: NodeToNodeEncryptionOptions field set as Enabled:false.
      Then: Return NON_COMPLIANT

[shikharj05]

APIs to be used: Get a list of domains - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/es.html#ElasticsearchService.Client.list_domain_names Describe multiple domains - https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/es.html#ElasticsearchService.Client.describe_elasticsearch_domains

[jongogogo]

On Scenario 2 and 3, start with Given: At least one ElasticSearch Domain is present

[shikharj05]

On Scenario 2 and 3, start with Given: At least one ElasticSearch Domain is present

Edited the original issue post to accommodate the change.

[jongogogo]

Updated, good to go :)

[jongogogo]

Blocked as lambda boto is returning the right info yet.