v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 6 OpenSearch domains should have at least three data nodes

Description

This control checks whether OpenSearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. This control fails for an OpenSearch domain if instanceCount is less than 3 or zoneAwarenessEnabled is false.

An OpenSearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an OpenSearch domain with at least three data nodes ensures cluster operations if a node fails.

Remediation

To modify the number of data nodes in an OpenSearch domain

  1. Sign in to the AWS console and open the Amazon OpenSearch Service.
  2. Under My domains, choose the name of the domain to edit, and choose Edit.
  3. Under Data nodes set Number of nodes to a number greater than 3. If you are deploying to three Availability Zone, set the number to a multiple of three to ensure equal distribution across Availability Zones.
  4. Choose Submit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_opensearch_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_opensearch_6 --share

SQL

This control uses a named query:

opensearch_domain_data_node_fault_tolerance

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = high_availability
foundational_security_item_id = opensearch_6
plugin = aws
service = AWS/OpenSearch