AWS Elastic Search
About
Monitor and audit Elastic Search instances to ensure security, availability, reliability is not compromised.
Security
Encrypted Domain
Ensures ElasticSearch domains are encrypted with KMS. ElasticSearch domains should be encrypted to ensure data at rest is secured.
ElasticSearch HTTPS Only
Ensures ElasticSearch domains are configured to enforce HTTPS connections. ElasticSearch domains should be configured to enforce HTTPS connections for all clients to ensure encryption of data in transit.
ElasticSearch Logging Enabled
Ensures ElasticSearch domains are configured to log data to CloudWatch. ElasticSearch domains should be configured with logging enabled with logs sent to CloudWatch for analysis and long-term storage.
ElasticSearch Node To Node Encryption
ElasticSearch domain traffic is encrypted in transit between nodes. ElasticSearch domains should use node-to-node encryption to ensure data in transit remains encrypted using TLS 1.2.
ElasticSearch Private Service Domain
Ensures ElasticSearch domains are created with private VPC endpoint options. ElasticSearch domains can either be created with a public endpoint or with a VPC configuration that enables internal VPC communication. Domains should be created without a public endpoint to prevent potential public access to the domain.
ElasticSearch Upgrade Available
Ensures ElasticSearch domains are running the latest service software. ElasticSearch domains should be configured to run the latest service software which often contains security updates.
Elasticsearch Domain Encrypted with KMS CMKs
Ensure that your Amazon ElasticSearch (ES) domains are encrypted with KMS Customer Master Keys (CMKs) instead of AWS managed-keys
Elasticsearch Accessible only from Whitelisted IP Addresses
Ensure that the access to your Elasticsearch Service (ES) domains is made based on whitelisted IP addresses only in order to protect them against unauthorized access
Elasticsearch Cross Account Access
Ensure that all your Elasticsearch Service (ES) clusters are configured to allow access only to trusted AWS users and accounts in order to protect against unauthorized cross account access
Elasticsearch Desired Instance Type
Determine if the Elasticsearch (ES) instances provisioned in your AWS account have the desired instance type established by your organization based on the workload deployed.
Elasticsearch Domain Exposed
Identify any publicly accessible AWS Elasticsearch domains and update their access policy in order to stop any unsigned requests made to these resources
Elasticsearch Instance Counts
Ensure that the number of Amazon Elasticsearch cluster instances provisioned in your AWS account has not reached the limit quota established by your organization
Performance Efficiency
ElasticSearch Cluster Status
Ensure that your AWS ElasticSearch (ES) clusters are healthy, i.e. they all have shard allocation status set to "Green"
Elasticsearch Free Storage Space
Identify any Amazon ElasticSearch (ES) clusters that appear to run low on disk space and scale them up to help mitigate any issues
Reliability
Elasticsearch Dedicated Master Enabled
Ensure that your AWS Elasticsearch Service (ES) clusters are using dedicated master nodes to improve their environmental stability by offloading all the management tasks from the cluster data nodes.
Elasticsearch Zone Awareness Enabled
Ensure that AWS Elasticsearch (ES) cross-zone replication (Zone Awareness) is enabled to increase the availability of your ES clusters
Cost Optimisation
Elasticsearch General Purpose SSD
Ensure that your Amazon Elasticsearch (ES) clusters are using General Purpose SSD (gp2) data nodes instead of Provisioned IOPS SSD (io1) nodes for cost-effective storage that fits a broad range of workloads
Elasticsearch Reserved Instance Lease Expiration In The Next 30 Days
Ensure that your AWS Elasticsearch Reserved Instances (RIs) are renewed before expiration in order to get a significant discount on the hourly charges.
Elasticsearch Reserved Instance Lease Expiration In The Next 7 Days
Ensure that your AWS Elasticsearch Reserved Instances (RIs) are renewed before expiration in order to get a significant discount on the hourly charges.
Elasticsearch Reserved Instance Payment Failed
Identify any failed Amazon Elasticsearch (ES) Reserved Instances available within your AWS account
Elasticsearch Reserved Instance Payment Pending
Identify any pending Amazon Elasticsearch (ES) Reserved Instances available in your AWS account and solve these incomplete ES reservations by requesting AWS Support to retry the necessary payments
Elasticsearch Reserved Instance Recent Purchases
Ensure that all active Amazon Elasticsearch (ES) Reserved Instance purchases are reviewed every 7 days to make sure that no unwanted RI purchase has been placed recently.
Idle Elasticsearch Clusters
Identify any Amazon Elasticsearch (ES) clusters that appear to be idle and remove them from your account to help lower the cost of your monthly AWS bill.
Sources
https://www.cloudanix.com/recipelist/aws/esmonitoring
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-slow-logs
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out
this form.
