Control: 6 OpenSearch domains should have at least three data nodes
Description
This control checks whether OpenSearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. This control fails for an OpenSearch domain if instanceCount is less than 3 or zoneAwarenessEnabled is false.
An OpenSearch domain requires at least three data nodes for high availability and fault-tolerance. Deploying an OpenSearch domain with at least three data nodes ensures cluster operations if a node fails.
Remediation
To modify the number of data nodes in an OpenSearch domain
- Sign in to the AWS console and open the Amazon OpenSearch Service.
- Under
My domains, choose the name of the domain to edit, and chooseEdit. - Under
Data nodessetNumber of nodesto a number greater than 3. If you are deploying to three Availability Zone, set the number to a multiple of three to ensure equal distribution across Availability Zones. - Choose
Submit.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_opensearch_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_opensearch_6 --shareSQL
This control uses a named query:
select arn as resource, case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then 'ok' else 'alarm' end as status, case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then title || ' zone awareness is ' || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.' else title || ' zone awareness is ' || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.' end as reason , region, account_idfrom aws_opensearch_domain;