Skip to main content

πŸ›‘οΈ AWS OpenSearch Domain latest Service Software Update is not installed🟒

  • Contextual name: πŸ›‘οΈ Domain latest Service Software Update is not installed🟒
  • ID: /ce/ca/aws/opensearch/domain-software-update
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: RELIABILITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS OpenSearch Service domains for which a newer compatible service software version is available but has not yet been installed.

Service software updates are released and managed by AWS. These updates can include security patches, reliability fixes, operational improvements, and performance enhancements for the managed OpenSearch platform.

Rationale​

Keeping OpenSearch service software current helps reduce exposure to known service-side defects and ensures domains benefit from the latest improvements delivered by AWS. Applying updates in a controlled manner also gives teams better change-management control than waiting for a later forced or automated rollout.

Impact​

Starting a service software update causes the domain to enter a processing state while the update is being deployed. Plan the change during an approved maintenance window and validate domain health, application connectivity, and cluster behavior before and after the update.

Audit​

This policy flags an AWS OpenSearch Domain as INCOMPLIANT if the Service Software: Update Available field is set to true.

... see more

Remediation​

Open File

Remediation​

Install the Latest Service Software Update​

Before starting the update:

  • confirm the domain is healthy and no conflicting configuration changes are in progress;
  • schedule the change during a low-traffic maintenance window;
  • notify application owners if the domain supports production workloads.
From AWS CLI​

Use the following command to start the service software update immediately:

aws opensearch start-service-software-update \
  --domain-name {{domain-name}} \
  --schedule-at NOW

Monitor the domain until the update completes and CloudAware no longer reports Service Software: Update Available as true.

If the request fails because the selected time slot is not available, review the alternate scheduling information returned by AWS and resubmit the update for an available window.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [Opensearch.10] OpenSearch domains should have the latest software update installed1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC06-BP01 Perform vulnerability management2no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Infrastructure Modernization18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)2724no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)9no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2 Flaw Remediation (L)(M)(H)224no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-2(2) Automated Flaw Remediation Status (M)(H)9no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-01: Improvements are identified from evaluations47no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties62no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities62no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2 Flaw Remediation6621no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(2) Flaw Remediation _ Automated Flaw Remediation Status19no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(4) Flaw Remediation _ Automated Patch Management Tools9no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(5) Flaw Remediation _ Automatic Software and Firmware Updates29no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.7no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates7no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.3.3 All system components are protected from known vulnerabilities by installing applicable security patches/updates7no data