AWS OpenSearch Service Domain
This page shows how to write Terraform and CloudFormation for OpenSearch Service Domain and write them securely.
aws_elasticsearch_domain (Terraform)
The Domain in OpenSearch Service can be configured in Terraform with the resource name aws_elasticsearch_domain
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_elasticsearch_domain" "noncompliant_missing_options" { # Noncompliant
domain_name = "sensitive_domain"
}
resource "aws_elasticsearch_domain" "noncompliant_enabled_false" {
domain_name = "sensitive_domain"
resource "aws_elasticsearch_domain" "domain1" { # Noncompliant {{Make sure that using unencrypted Elasticsearch domains is safe here.}}
}
resource "aws_elasticsearch_domain" "domain2" {
# ^^^^^^^^^^^^^^^^^^^^^^^^^^> {{Related domain}}
encrypt_at_rest { # Noncompliant {{Make sure that using unencrypted Elasticsearch domains is safe here.}}
resource "aws_elasticsearch_domain" "elastic-no_domain_endpoint_options" {
# ^^^^^^^^^^^^^^^^^^^^^^^^^^
domain_name = "api.example.com"
}
resource "aws_elasticsearch_domain" "elastic_no_policy" {
Security Best Practices for aws_elasticsearch_domain
There are 5 settings in aws_elasticsearch_domain that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure Amazon Elasticsearch Service domain uses modern TLS protocols
It's better to adopt TLS v1.2+ to avoid using outdated TLS protocols.
Ensure Amazon Elasticsearch Service domain uses HTTPS
It is better to enforce the use of HTTPS for the domain. HTTP connections could be vulnerable to meet-in-the-middle (MITM) attacks.
Ensure to enable at rest encryption of Amazon Elasticsearch Service domain
It is better to enable at rest encryption of Amazon Elasticsearch Service domain. Encryption reduces the risk of data leakage.
Ensure to enable domain logging of Elasticsearch
It is better to enable domain logging of Elasticsearch. Amazon. These logs are useful for troubleshooting availability issues and meeting compliance requirements.
Ensure to enable in-transit encryption of Amazon Elasticsearch Service domain
It is better to enforce the use of encrypted connections among nodes. The in-transit data could be vulnerable to meet-in-the-middle (MITM) attacks.
Parameters
-
access_policies
optional computed - string -
advanced_options
optional computed - map from string to string -
arn
optional computed - string -
domain_id
optional computed - string -
domain_name
required - string -
elasticsearch_version
optional - string -
endpoint
optional computed - string -
id
optional computed - string -
kibana_endpoint
optional computed - string -
tags
optional - map from string to string -
advanced_security_options
list block-
enabled
required - bool -
internal_user_database_enabled
optional - bool -
master_user_options
list block-
master_user_arn
optional - string -
master_user_name
optional - string -
master_user_password
optional - string
-
-
-
cluster_config
list block-
dedicated_master_count
optional - number -
dedicated_master_enabled
optional - bool -
dedicated_master_type
optional - string -
instance_count
optional - number -
instance_type
optional - string -
warm_count
optional - number -
warm_enabled
optional - bool -
warm_type
optional - string -
zone_awareness_enabled
optional - bool -
zone_awareness_config
list block-
availability_zone_count
optional - number
-
-
-
cognito_options
list block-
enabled
optional - bool -
identity_pool_id
required - string -
role_arn
required - string -
user_pool_id
required - string
-
-
domain_endpoint_options
list block-
custom_endpoint
optional - string -
custom_endpoint_certificate_arn
optional - string -
custom_endpoint_enabled
optional - bool -
enforce_https
optional - bool -
tls_security_policy
optional computed - string
-
-
ebs_options
list block-
ebs_enabled
required - bool -
iops
optional - number -
volume_size
optional - number -
volume_type
optional computed - string
-
-
encrypt_at_rest
list block-
enabled
required - bool -
kms_key_id
optional computed - string
-
-
log_publishing_options
set block-
cloudwatch_log_group_arn
required - string -
enabled
optional - bool -
log_type
required - string
-
-
node_to_node_encryption
list block-
enabled
required - bool
-
-
snapshot_options
list block-
automated_snapshot_start_hour
required - number
-
-
timeouts
single block-
update
optional - string
-
-
vpc_options
list block-
availability_zones
optional computed - set of string -
security_group_ids
optional - set of string -
subnet_ids
optional - set of string -
vpc_id
optional computed - string
-
Explanation in Terraform Registry
Manages an AWS Elasticsearch Domain.
AWS::Elasticsearch::Domain (CloudFormation)
The Domain in Elasticsearch can be configured in CloudFormation with the resource name AWS::Elasticsearch::Domain
. The following sections describe 9 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Elasticsearch::Domain
Properties:
ElasticsearchVersion: '6.3'
DomainName: transactions-search-${self:provider.stage}
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: ${self:provider.environment.ELASTIC_SEARCH_DOMAIN}
EBSOptions:
EBSEnabled: true
VolumeType: gp2
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: kinesis-domain
EBSOptions:
EBSEnabled: true
VolumeSize: 10
# Type: 'AWS::Elasticsearch::Domain'
# AccessPolicies: Json
# Version: "2012-10-17"
# Statement:
# -
# Effect: "Allow"
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: austin-traffic-${self:provider.stage}
ElasticsearchVersion: 7.1
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
"rule": "$.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null)",
"id": "3b745764-1d47-4adf-a023-18b95dcd713e",
"enabled": true,
"recommendation": {
"name": "Recommended solution having Elastic Cluster inside a VPC.",
"description": "It is recommended to have Elastic Cluster inside a VPC. Please make sure that \"VPCOptions\" block exists and it has \"subnetIds\" defined.",
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "myDomain"
}
},
"ESDomain2": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "nameddomain"
}
},
"ElasticsearchDomainWithName2": {
"resourceType" : "AWS::Elasticsearch::Domain",
"properties" : [ {
"propertyName" : "AccessPolicies",
"propertyType" : "JsonObject",
"required" : false
}, {
Parameters
-
AccessPolicies
optional - Json -
AdvancedOptions
optional - Map -
AdvancedSecurityOptions
optional - AdvancedSecurityOptionsInput -
CognitoOptions
optional - CognitoOptions -
DomainEndpointOptions
optional - DomainEndpointOptions -
DomainName
optional - String -
EBSOptions
optional - EBSOptions -
ElasticsearchClusterConfig
optional - ElasticsearchClusterConfig -
ElasticsearchVersion
optional - String -
EncryptionAtRestOptions
optional - EncryptionAtRestOptions -
LogPublishingOptions
optional - Map of LogPublishingOption -
NodeToNodeEncryptionOptions
optional - NodeToNodeEncryptionOptions -
SnapshotOptions
optional - SnapshotOptions -
Tags
optional - List of Tag -
VPCOptions
optional - VPCOptions
Explanation in CloudFormation Registry
The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain.
Important The
AWS::Elasticsearch::Domain
resource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and Elasticsearch. For more information about the service rename, see New resource types in the Amazon OpenSearch Service Developer Guide.
Frequently asked questions
What is AWS OpenSearch Service Domain?
AWS OpenSearch Service Domain is a resource for OpenSearch Service of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS OpenSearch Service Domain?
For Terraform, the SonarSource/sonar-iac, SonarSource/sonar-iac and SonarSource/sonar-iac source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the paulovsm/expense-tracker, first-line-outsourcing/tools and AndrewAKG/serverless-kinesis-to-elasticsearch-typescript source code examples are useful. See the CloudFormation Example section for further details.