Control: 7 Elasticsearch domains should be configured with at least three dedicated master nodes
Description
This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.
An Elasticsearch domain requires at least three dedicated master nodes for high availability and fault-tolerance. Dedicated master node resources can be strained during data node blue/green deployments because there are additional nodes to manage. Deploying an Elasticsearch domain with at least three dedicated master nodes ensures sufficient master node resource capacity and cluster operations if a node fails.
Remediation
To modify the number of dedicated master nodes in an Elasticsearch domain
- Open the Amazon Elasticsearch console.
- Under
My domains, choose the name of the domain to edit. - Choose
Edit domain. - Under
Dedicated master nodes, setInstance typeto the desired instance type. - Set
Number of master nodesequal to three or greater. - Choose
Submit.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_es_7Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_es_7 --shareSQL
This control uses a named query:
es_domain_dedicated_master_nodes_min_3