Amazon OpenSearch Service introduces index-level encryption

Amazon OpenSearch Service has announced the introduction of index-level encryption, a new feature that allows data at rest to be encrypted on a per-index basis using AWS Key Management Service (KMS) customer managed keys. This enhancement provides users the flexibility to apply different customer managed keys for separate indexes within the same domain, thereby supporting more detailed and tenant-specific encryption strategies.

This new capability expands upon the existing encryption at rest feature available in Amazon OpenSearch Service. Previously, domain-level encryption utilized a single AWS KMS key to secure all data within a domain. In contrast, index-level encryption permits the assignment of a distinct customer managed key for each index, effectively isolating encrypted data across various indexes. Users can initiate this process by registering their KMS key via the Amazon OpenSearch Service API, followed by specifying the key ARN in the index settings when creating an encrypted index.

Notably, index-level encryption is offered at no additional charge for Amazon OpenSearch Service domains operating on OpenSearch version 3.3 or later. This feature is currently accessible in 14 AWS Regions, including US West (Oregon), US East (Ohio), US East (N. Virginia), South America (São Paulo), Europe (Paris), Europe (London), Europe (Ireland), Europe (Frankfurt), Canada (Central), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Singapore), Asia Pacific (Seoul), and Asia Pacific (Mumbai).

For further information, users are encouraged to consult the Index-level encryption section in the Amazon OpenSearch Service Developer Guide.