π‘οΈ AWS OpenSearch Domain Dedicated Master Count is fewer than threeπ’
- Contextual name: π‘οΈ Domain Dedicated Master Count is fewer than threeπ’
- ID:
/ce/ca/aws/opensearch/domain-dedicated-master-count - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- AWS Security Hub: [Opensearch.11] OpenSearch domains should have at least three dedicated primary nodes
- AWS Security Hub: [ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes
Descriptionβ
Descriptionβ
This policy identifies AWS OpenSearch Domains that are configured with fewer than three dedicated master nodes or do not have dedicated master nodes enabled.
Rationaleβ
Dedicated master nodes are responsible for critical cluster management functions, including maintaining cluster state, monitoring node health, coordinating shard allocation, and processing configuration changes.
- Stability: Separating cluster management responsibilities from data nodes reduces resource contention. Even under heavy indexing or query workloads, dedicated master nodes help maintain cluster stability.
- Quorum and High Availability: OpenSearch uses a quorum-based election process to prevent split-brain scenarios, where multiple nodes incorrectly assume leadership. A minimum of three dedicated master nodes ensures that the cluster can still elect a master if one node becomes unavailable.
- Best Practices: For production workloads, AWS recommends using an odd number of dedicated master nodes, typically three or five, to maximize fault tolerance and maintain quorum during failures.
... see more
Remediationβ
Remediationβ
Enable Dedicated Master Nodes for OpenSearch Domainβ
To improve cluster stability and ensure quorum-based master elections, configure the OpenSearch Service domain with dedicated master nodes and set the master node count to a minimum of three.
From Command Lineβ
Use the
update-domain-configcommand to enable dedicated master nodes and configure the recommended master node count:aws opensearch update-domain-config \
--domain-name {{domain-name}} \
--cluster-config '{
"DedicatedMasterEnabled": true,
"DedicatedMasterCount": 3
"DedicatedMasterType": "{{m5.large.search}}"
}'Additional Considerationsβ
- Use an odd number of dedicated master nodes (for example, 3 or 5) to maintain quorum during failures.
- Dedicated master nodes should not be used for data or ingest workloads.
- Enabling dedicated master nodes triggers a blue/green update of the domain, which may cause a brief period of reduced availability or increased latency. Plan the change accordingly.