Top / Amazon Web Service / AWS OpenSearch Service / Domain Policy

AWS OpenSearch Service Domain Policy

This page shows how to write Terraform and CloudFormation for OpenSearch Service Domain Policy and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_elasticsearch_domain (Terraform)

The Domain Policy in OpenSearch Service can be configured in Terraform with the resource name aws_elasticsearch_domain. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

test_elastic_search_domain.tf#L1
resource "aws_elasticsearch_domain" "noncompliant_missing_options" { # Noncompliant
  domain_name = "sensitive_domain"
}

resource "aws_elasticsearch_domain" "noncompliant_enabled_false" {
  domain_name = "sensitive_domain"
test.tf#L1
resource "aws_elasticsearch_domain" "domain1" { # Noncompliant {{Make sure that using unencrypted Elasticsearch domains is safe here.}}
}

resource "aws_elasticsearch_domain" "domain2" {
#        ^^^^^^^^^^^^^^^^^^^^^^^^^^> {{Related domain}}
  encrypt_at_rest { # Noncompliant {{Make sure that using unencrypted Elasticsearch domains is safe here.}}
test_aws_elasticsearch_domain.tf#L2
resource "aws_elasticsearch_domain" "elastic-no_domain_endpoint_options" {
  #      ^^^^^^^^^^^^^^^^^^^^^^^^^^
  domain_name = "api.example.com"
}

resource "aws_elasticsearch_domain" "elastic_no_policy" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Allows setting policy to an Elasticsearch domain while referencing domain attributes (e.g., ARN)

>> from Terraform Registry

Tips: Best Practices for The Other AWS OpenSearch Service Resources

In addition to the aws_elasticsearch_domain, AWS OpenSearch Service has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_elasticsearch_domain

Ensure Amazon Elasticsearch Service domain uses modern TLS protocols

It's better to adopt TLS v1.2+ to avoid using outdated TLS protocols.

Review your AWS OpenSearch Service settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::Elasticsearch::Domain (CloudFormation)

The Domain in Elasticsearch can be configured in CloudFormation with the resource name AWS::Elasticsearch::Domain. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

elasticSearch.yml#L3
    Type: AWS::Elasticsearch::Domain
    Properties:
      ElasticsearchVersion: '6.3'
      DomainName: transactions-search-${self:provider.stage}
      ElasticsearchClusterConfig:
        DedicatedMasterEnabled: false
ElasticSearch.yml#L3
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: ${self:provider.environment.ELASTIC_SEARCH_DOMAIN}
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp2
ESDomain.yml#L2
  Type: AWS::Elasticsearch::Domain
  Properties:
    DomainName: kinesis-domain
    EBSOptions:
      EBSEnabled: true
      VolumeSize: 10
template.yml#L100
  #   Type: 'AWS::Elasticsearch::Domain'
  #   AccessPolicies: Json
  #     Version: "2012-10-17"
  #     Statement:
  #       -
  #         Effect: "Allow"
ElasticSearchDomain.yml#L1
Type: AWS::Elasticsearch::Domain
Properties:
  DomainName: austin-traffic-${self:provider.stage}
  ElasticsearchVersion: 7.1
  ElasticsearchClusterConfig:
    DedicatedMasterEnabled: false
AWS-ElasticSearch-cluster-not-in-a-VPC.json#L6
    "rule": "$.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null)",
    "id": "3b745764-1d47-4adf-a023-18b95dcd713e",
    "enabled": true,
    "recommendation": {
        "name": "Recommended solution having Elastic Cluster inside a VPC.",
        "description": "It is recommended to have Elastic Cluster inside a VPC. Please make sure that \"VPCOptions\" block exists and it has \"subnetIds\" defined.",
elasticsearch_domain_no_encryption_at_rest.json#L4
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "DomainName": "nameddomain"
            }
        },
        "ElasticsearchDomainWithName2": {
AWS-ElasticSearch-cluster-not-in-a-VPC-positive-1.json#L4
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "DomainName": {
                    "Ref": "DomainName"
                },
                "ElasticsearchVersion": {
es.json#L4
        "Type" : "AWS::Elasticsearch::Domain",
        "Properties" : {
            "ElasticsearchClusterConfig":{
                "DedicatedMasterEnabled" : false,
                "InstanceCount" : 1,
                "InstanceType" : "t2.small.elasticsearch",
elasticsearch_domain_no_encryption_node_to_node.json#L4
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "DomainName": "nameddomain"
            }
        },
        "ElasticsearchDomainWithName2": {

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain.

Important The AWS::Elasticsearch::Domain resource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and Elasticsearch. For more information about the service rename, see New resource types in the Amazon OpenSearch Service Developer Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS OpenSearch Service Resources

Frequently asked questions

What is AWS OpenSearch Service Domain Policy?

AWS OpenSearch Service Domain Policy is a resource for OpenSearch Service of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS OpenSearch Service Domain Policy?

For Terraform, the SonarSource/sonar-iac, SonarSource/sonar-iac and SonarSource/sonar-iac source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the paulovsm/expense-tracker, first-line-outsourcing/tools and AndrewAKG/serverless-kinesis-to-elasticsearch-typescript source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents