AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Opensearch Data Node Should Have Fault Tolerance
More Info:
This rule checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if ‘instanceCount’ is less than 3 or ‘zoneAwarenessEnabled’ is set to ‘false’.
Risk Level
Medium
Address
Configuration
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the lack of fault tolerance for an OpenSearch data node in AWS, you can follow these steps using the AWS Management Console:
-
Navigate to Amazon OpenSearch Service Console:
- Go to the AWS Management Console (https://console.aws.amazon.com).
- In the “Find services” search bar, type “OpenSearch Service” and click on it to open the OpenSearch dashboard.
-
Select the OpenSearch Domain:
- From the list of OpenSearch domains, select the domain for which you want to enable fault tolerance.
-
Modify the Domain Configuration:
- In the OpenSearch dashboard, locate and click on the domain name that you want to modify.
- Click on the “Modify domain” button to update the domain configuration.
-
Enable Zone Awareness:
- In the “Configure cluster” section, find the “Enable zone awareness” option and toggle it to enable fault tolerance.
- Zone awareness ensures that each primary shard has at least one replica in a different Availability Zone.
-
Select the Number of Availability Zones:
- Choose the number of Availability Zones you want to distribute your data across. It is recommended to select at least 2 Availability Zones for fault tolerance.
-
Save the Configuration Changes:
- Review the other settings and configurations to ensure they are correct.
- Click on the “Submit” button to save the changes and apply fault tolerance to your OpenSearch domain.
-
Monitor the Domain:
- Once the configuration changes are saved, monitor the domain to ensure that the fault tolerance settings are applied correctly.
- You can check the domain status and cluster health in the OpenSearch dashboard.
By following these steps, you can enable fault tolerance for an OpenSearch data node in AWS, ensuring high availability and resilience to failures in your OpenSearch domain.
To enable fault tolerance for OpenSearch data nodes in AWS, you can follow these steps using the AWS CLI:
-
Identify the OpenSearch domain: Run the following AWS CLI command to list all the OpenSearch domains in your AWS account:
aws opensearchservice list-domain-names -
Get the configuration of the OpenSearch domain: Run the following AWS CLI command to get the configuration of the specific OpenSearch domain:
aws opensearchservice describe-elasticsearch-domain --domain-name YOUR_DOMAIN_NAME -
Update the domain configuration to enable fault tolerance: Run the following AWS CLI command to update the domain configuration and enable fault tolerance for data nodes:
aws opensearchservice update-elasticsearch-domain-config --domain-name YOUR_DOMAIN_NAME --elasticsearch-cluster-config '{"InstanceType": "m5.large.search", "InstanceCount": 2, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": true}'In this command:
- Replace
YOUR_DOMAIN_NAMEwith the name of your OpenSearch domain. - Adjust the
InstanceTypeandInstanceCountvalues as per your requirements. - Set
ZoneAwarenessEnabledtotrueto enable fault tolerance across Availability Zones.
- Replace
-
Monitor the domain status: Run the following AWS CLI command to monitor the status of the OpenSearch domain until it is active:
aws opensearchservice describe-elasticsearch-domain --domain-name YOUR_DOMAIN_NAME
By following these steps and using the AWS CLI commands provided, you can enable fault tolerance for OpenSearch data nodes in AWS.
To remediate the misconfiguration of Opensearch Data Node not having fault tolerance in AWS OpenSearch using Python, follow these steps:
- Define the AWS OpenSearch domain configuration using the AWS SDK for Python (Boto3). Ensure that the domain has multiple data nodes for fault tolerance.
import boto3
client = boto3.client('es')
domain_name = 'your-opensearch-domain-name'
# Update the domain configuration to have multiple data nodes for fault tolerance
response = client.update_elasticsearch_domain_config(
DomainName=domain_name,
ElasticsearchClusterConfig={
'InstanceType': 'm5.large.elasticsearch',
'InstanceCount': 2, # Set the number of data nodes for fault tolerance
'DedicatedMasterEnabled': False,
'ZoneAwarenessEnabled': True,
}
)
print(response)
-
Run the Python script to update the AWS OpenSearch domain configuration with fault tolerance enabled for data nodes.
-
Verify the domain configuration in the AWS Management Console or by using the describe_elasticsearch_domain_config API to ensure that the fault tolerance settings have been applied successfully.
By following these steps, you can remediate the misconfiguration of Opensearch Data Node not having fault tolerance in AWS OpenSearch using Python.