Amazon OpenSearch Service introduces index-level encryption feature

Amazon OpenSearch Service has introduced a new feature that supports index-level encryption, allowing users to encrypt data at rest for each index individually using AWS Key Management Service (KMS) customer managed keys. This advancement enables users to apply distinct customer managed keys to different indexes within the same domain, facilitating more detailed and tenant-specific encryption policies.

This new capability expands upon the existing encryption at rest feature provided by Amazon OpenSearch Service. Traditionally, domain-level encryption employs a single AWS KMS key to secure all data within a domain. In contrast, index-level encryption permits the assignment of a unique customer managed key to each index, thus ensuring isolated encryption of data across various indexes. To implement this, users must register their KMS key via the Amazon OpenSearch Service API and specify the key ARN in the index settings when establishing an encrypted index.

Index-level encryption is offered at no extra charge for Amazon OpenSearch Service domains operating on OpenSearch version 3.3 or newer. This feature is accessible in 14 AWS Regions, including US West (Oregon), US East (Ohio), US East (N. Virginia), South America (São Paulo), Europe (Paris), Europe (London), Europe (Ireland), Europe (Frankfurt), Canada (Central), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Singapore), Asia Pacific (Seoul), and Asia Pacific (Mumbai).

For further information, users are encouraged to consult the Index-level Encryption section in the Amazon OpenSearch Service Developer Guide.