🛡️ AWS OpenSearch Domain latest Service Software Update is not installed🟢

• Contextual name: 🛡️ Domain latest Service Software Update is not installed🟢
• ID: /ce/ca/aws/opensearch/domain-software-update
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS OpenSearch Domain
  • 🔌 AWS OpenSearch Domain - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [Opensearch.10] OpenSearch domains should have the latest software update installed

Description

Open File

Description

This policy identifies AWS OpenSearch Domains that are not configured to run the latest compatible service software version. Service software updates include essential security patches, bug fixes, and performance enhancements that help maintain a secure, reliable, and optimized OpenSearch environment.

Rationale

Applying the latest service software updates on a regular basis helps safeguard OpenSearch domains against known vulnerabilities, improves stability by resolving bugs, and provides access to new features and performance improvements.

Impact

Failing to install the latest updates can expose OpenSearch domains to security risks, reduce performance efficiency, and cause operational instability due to unresolved defects. Additionally, outdated domains may lack access to new capabilities that enhance functionality and reliability.

Audit

This policy flags an AWS OpenSearch Domain as INCOMPLIANT if Service Software: Update Available field is set to false.

Remediation

Open File

Remediation

Start Service Software Update

From AWS CLI

Use the following command to initiate a service software update for an OpenSearch domain:

aws opensearch start-service-software-update \
  --domain-name {{domain-name}} \
  --schedule-at "NOW"

The --schedule-at parameter allows you to queue the update immediately.

If the command fails with a BaseException, the specified time slot may be unavailable due to capacity constraints. In such cases, review the alternate time slot suggestions provided in the response and resubmit the request with an available time.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC06-BP01 Perform vulnerability management			2		no data
💼 Cloudaware Framework → 💼 Infrastructure Modernization			17		no data