EncryptionAtRestOptions

class aws_cdk.aws_opensearchservice.EncryptionAtRestOptions(*, enabled=None, kms_key=None)

Bases: object

Whether the domain should encrypt data at rest, and if so, the AWS Key Management Service (KMS) key to use.

Can only be used to create a new domain, not update an existing one. Requires Elasticsearch version 5.1 or later or OpenSearch version 1.0 or later.

Parameters:

• enabled (Optional[bool]) – Specify true to enable encryption at rest. Default: - encryption at rest is disabled.

• kms_key (Optional[IKey]) – Supply if using KMS key for encryption at rest. Default: - uses default aws/es KMS key.

ExampleMetadata:

infused

Example:

domain = Domain(self, "Domain",
    version=EngineVersion.OPENSEARCH_1_0,
    enforce_https=True,
    node_to_node_encryption=True,
    encryption_at_rest=EncryptionAtRestOptions(
        enabled=True
    ),
    fine_grained_access_control=AdvancedSecurityOptions(
        master_user_name="master-user",
        saml_authentication_enabled=True,
        saml_authentication_options=SAMLOptionsProperty(
            idp_entity_id="entity-id",
            idp_metadata_content="metadata-content-with-quotes-escaped"
        )
    )
)

Attributes

enabled

Specify true to enable encryption at rest.

Default:

• encryption at rest is disabled.

kms_key

Supply if using KMS key for encryption at rest.

Default:

• uses default aws/es KMS key.