Top / Amazon Web Service / AWS OpenSearch Service / Domain

AWS OpenSearch Service Domain

This page shows how to write Terraform and CloudFormation for OpenSearch Service Domain and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_elasticsearch_domain (Terraform)

The Domain in OpenSearch Service can be configured in Terraform with the resource name aws_elasticsearch_domain. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

test_elastic_search_domain.tf#L1
resource "aws_elasticsearch_domain" "noncompliant_missing_options" { # Noncompliant
  domain_name = "sensitive_domain"
}

resource "aws_elasticsearch_domain" "noncompliant_enabled_false" {
  domain_name = "sensitive_domain"
test.tf#L1
resource "aws_elasticsearch_domain" "domain1" { # Noncompliant {{Make sure that using unencrypted Elasticsearch domains is safe here.}}
}

resource "aws_elasticsearch_domain" "domain2" {
#        ^^^^^^^^^^^^^^^^^^^^^^^^^^> {{Related domain}}
  encrypt_at_rest { # Noncompliant {{Make sure that using unencrypted Elasticsearch domains is safe here.}}
test_aws_elasticsearch_domain.tf#L2
resource "aws_elasticsearch_domain" "elastic-no_domain_endpoint_options" {
  #      ^^^^^^^^^^^^^^^^^^^^^^^^^^
  domain_name = "api.example.com"
}

resource "aws_elasticsearch_domain" "elastic_no_policy" {

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_elasticsearch_domain

There are 5 settings in aws_elasticsearch_domain that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure Amazon Elasticsearch Service domain uses modern TLS protocols

It's better to adopt TLS v1.2+ to avoid using outdated TLS protocols.

risk-label

Ensure Amazon Elasticsearch Service domain uses HTTPS

It is better to enforce the use of HTTPS for the domain. HTTP connections could be vulnerable to meet-in-the-middle (MITM) attacks.

risk-label

Ensure to enable at rest encryption of Amazon Elasticsearch Service domain

It is better to enable at rest encryption of Amazon Elasticsearch Service domain. Encryption reduces the risk of data leakage.

risk-label

Ensure to enable domain logging of Elasticsearch

It is better to enable domain logging of Elasticsearch. Amazon. These logs are useful for troubleshooting availability issues and meeting compliance requirements.

risk-label

Ensure to enable in-transit encryption of Amazon Elasticsearch Service domain

It is better to enforce the use of encrypted connections among nodes. The in-transit data could be vulnerable to meet-in-the-middle (MITM) attacks.

Review your AWS OpenSearch Service settings

You can check if the aws_elasticsearch_domain setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages an AWS Elasticsearch Domain.

>> from Terraform Registry

AWS::Elasticsearch::Domain (CloudFormation)

The Domain in Elasticsearch can be configured in CloudFormation with the resource name AWS::Elasticsearch::Domain. The following sections describe 9 examples of how to use the resource and its parameters.

Example Usage from GitHub

elasticSearch.yml#L3
    Type: AWS::Elasticsearch::Domain
    Properties:
      ElasticsearchVersion: '6.3'
      DomainName: transactions-search-${self:provider.stage}
      ElasticsearchClusterConfig:
        DedicatedMasterEnabled: false
ElasticSearch.yml#L3
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: ${self:provider.environment.ELASTIC_SEARCH_DOMAIN}
      EBSOptions:
        EBSEnabled: true
        VolumeType: gp2
ESDomain.yml#L2
  Type: AWS::Elasticsearch::Domain
  Properties:
    DomainName: kinesis-domain
    EBSOptions:
      EBSEnabled: true
      VolumeSize: 10
template.yml#L100
  #   Type: 'AWS::Elasticsearch::Domain'
  #   AccessPolicies: Json
  #     Version: "2012-10-17"
  #     Statement:
  #       -
  #         Effect: "Allow"
ElasticSearchDomain.yml#L1
Type: AWS::Elasticsearch::Domain
Properties:
  DomainName: austin-traffic-${self:provider.stage}
  ElasticsearchVersion: 7.1
  ElasticsearchClusterConfig:
    DedicatedMasterEnabled: false
AWS-ElasticSearch-cluster-not-in-a-VPC.json#L6
    "rule": "$.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions any null or ($.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists and $.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions.SubnetIds any null)",
    "id": "3b745764-1d47-4adf-a023-18b95dcd713e",
    "enabled": true,
    "recommendation": {
        "name": "Recommended solution having Elastic Cluster inside a VPC.",
        "description": "It is recommended to have Elastic Cluster inside a VPC. Please make sure that \"VPCOptions\" block exists and it has \"subnetIds\" defined.",
test.json#L5
      "Type": "AWS::Elasticsearch::Domain",
      "Properties": {
        "DomainName": "myDomain"
      }
    },
    "ESDomain2": {
elasticsearch_domain_no_encryption_at_rest.json#L4
            "Type": "AWS::Elasticsearch::Domain",
            "Properties": {
                "DomainName": "nameddomain"
            }
        },
        "ElasticsearchDomainWithName2": {
Elasticsearch.json#L3
  "resourceType" : "AWS::Elasticsearch::Domain",
  "properties" : [ {
    "propertyName" : "AccessPolicies",
    "propertyType" : "JsonObject",
    "required" : false
  }, {

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::Elasticsearch::Domain resource creates an Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain.

Important The AWS::Elasticsearch::Domain resource is being replaced by the AWS::OpenSearchService::Domain resource. While the legacy Elasticsearch resource and options are still supported, we recommend modifying your existing Cloudformation templates to use the new OpenSearch Service resource, which supports both OpenSearch and Elasticsearch. For more information about the service rename, see New resource types in the Amazon OpenSearch Service Developer Guide.

>> from AWS CloudFormation Documentation

The Other Related AWS OpenSearch Service Resources

Frequently asked questions

What is AWS OpenSearch Service Domain?

AWS OpenSearch Service Domain is a resource for OpenSearch Service of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS OpenSearch Service Domain?

For Terraform, the SonarSource/sonar-iac, SonarSource/sonar-iac and SonarSource/sonar-iac source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the paulovsm/expense-tracker, first-line-outsourcing/tools and AndrewAKG/serverless-kinesis-to-elasticsearch-typescript source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents