v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 7 Elasticsearch domains should be configured with at least three dedicated master nodes

Description

This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.

An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.

Remediation

To modify the number of dedicated master nodes in an Elasticsearch domain

  1. Open the Amazon Elasticsearch console.
  2. Under My domains, choose the name of the domain to edit.
  3. Choose Edit domain.
  4. Under Dedicated master nodes, set Instance type to the desired instance type.
  5. Set Number of master nodes equal to three or greater.
  6. Choose Submit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_es_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_es_7 --share

SQL

This control uses a named query:

es_domain_dedicated_master_nodes_min_3

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = high_availability
foundational_security_item_id = es_7
plugin = aws
service = AWS/ES