Skip to main content

πŸ›‘οΈ AWS OpenSearch Domain Instance Count is fewer than three🟒

  • Contextual name: πŸ›‘οΈ Domain Instance Count is fewer than three🟒
  • ID: /ce/ca/aws/opensearch/domain-instance-count
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS OpenSearch Domains that do not adhere to high-availability best practices, specifically the requirement for a minimum of three data nodes and the use of Zone Awareness.

Rationale​

High availability in AWS OpenSearch Service is achieved through redundancy and fault isolation across Availability Zones:

  1. Zone Awareness: When enabled, OpenSearch distributes nodes and their associated shards across two or three Availability Zones (AZs). This design ensures that the failure of a single AZ does not result in data loss or a complete service outage.
  2. Instance Count: A minimum of three data nodes is recommended for production environments. This configuration supports quorum-based master elections and ensures that the cluster remains operational with adequate capacity if a node or an Availability Zone becomes unavailable.

Impact​

If Zone Awareness is disabled or the instance count is insufficient, the OpenSearch domain becomes a single point of failure. Hardware issues, node failures, or Availability Zone disruptions may cause the cluster to enter a Red state, resulting in partial or complete loss of data availability.

... see more

Remediation​

Open File

Remediation​

Enable High Availability for OpenSearch Domain​

To meet high-availability best practices, configure the OpenSearch Service domain with a minimum of three data nodes and enable Zone Awareness.

From Command Line​

Use the update-domain-config command to enable Zone Awareness and set the instance count to three data nodes. This configuration distributes nodes across three Availability Zones.

aws opensearch update-domain-config \
    --domain-name {{domain-name}} \
    --cluster-config '{
        "InstanceCount": 3,
        "ZoneAwarenessEnabled": true,
        "ZoneAwarenessConfig": {
            "AvailabilityZoneCount": 3
        }
    }'
Additional Considerations​
  • The AvailabilityZoneCount value must match the number of Availability Zones supported in the selected AWS Region.
  • For smaller regions that support only two Availability Zones, set AvailabilityZoneCount to 2 while maintaining a minimum of three data nodes.
  • Changes to cluster configuration may trigger a rolling update and can temporarily impact cluster performance.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [ES.6] Elasticsearch domains should have at least three data nodes1no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.6] OpenSearch domains should have at least three data nodes1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration54no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-6(2) Recovery Time and Recovery Point Objectives (H)14no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)214no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)14no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CP-10 System Recovery and Reconstitution (L)(M)(H)114no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-03: Mechanisms are implemented to achieve resilience requirements in normal and adverse situations17no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process14no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-02: Recovery actions are selected, scoped, prioritized, and performed14no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.RP-05: The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-6(2) Alternate Storage Site _ Recovery Time and Recovery Point Objectives14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CP-10 System Recovery and Reconstitution614no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-5(2) Denial-of-service Protection _ Capacity, Bandwidth, and Redundancy13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-36 Distributed Processing and Storage28no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-13(5) Predictable Failure Prevention _ Failover Capability13no data