Benchmark: OpenSearch
Description
This section contains recommendations for configuring OpenSearch resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select OpenSearch.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_opensearchSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_opensearch --shareControls
- OpenSearch domains should have audit logging enabled.
- OpenSearch domains cognito authentication should be enabled for kibana
- OpenSearch domains should have at least three data nodes
- OpenSearch domains should have encryption at rest enabled
- OpenSearch domains should have fine-grained access control enabled
- OpenSearch domains should use HTTPS
- OpenSearch domains should be in a VPC
- OpenSearch domains internal user database should be disabled
- OpenSearch domains logs to AWS CloudWatch Logs
- OpenSearch domains node-to-node encryption should be enabled
- OpenSearch domains should be updated to the latest service software version