Skip to main content

More Info:

This rule checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if ‘instanceCount’ is less than 3 or ‘zoneAwarenessEnabled’ is set to ‘false’.

Risk Level

Medium

Address

Configuration

Compliance Standards

CBP

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the lack of fault tolerance for an OpenSearch data node in AWS, you can follow these steps using the AWS Management Console:
  1. Navigate to Amazon OpenSearch Service Console:
    • Go to the AWS Management Console (https://console.aws.amazon.com).
    • In the “Find services” search bar, type “OpenSearch Service” and click on it to open the OpenSearch dashboard.
  2. Select the OpenSearch Domain:
    • From the list of OpenSearch domains, select the domain for which you want to enable fault tolerance.
  3. Modify the Domain Configuration:
    • In the OpenSearch dashboard, locate and click on the domain name that you want to modify.
    • Click on the “Modify domain” button to update the domain configuration.
  4. Enable Zone Awareness:
    • In the “Configure cluster” section, find the “Enable zone awareness” option and toggle it to enable fault tolerance.
    • Zone awareness ensures that each primary shard has at least one replica in a different Availability Zone.
  5. Select the Number of Availability Zones:
    • Choose the number of Availability Zones you want to distribute your data across. It is recommended to select at least 2 Availability Zones for fault tolerance.
  6. Save the Configuration Changes:
    • Review the other settings and configurations to ensure they are correct.
    • Click on the “Submit” button to save the changes and apply fault tolerance to your OpenSearch domain.
  7. Monitor the Domain:
    • Once the configuration changes are saved, monitor the domain to ensure that the fault tolerance settings are applied correctly.
    • You can check the domain status and cluster health in the OpenSearch dashboard.
By following these steps, you can enable fault tolerance for an OpenSearch data node in AWS, ensuring high availability and resilience to failures in your OpenSearch domain.

To enable fault tolerance for OpenSearch data nodes in AWS, you can follow these steps using the AWS CLI:
  1. Identify the OpenSearch domain: Run the following AWS CLI command to list all the OpenSearch domains in your AWS account: 
    aws opensearchservice list-domain-names
  2. Get the configuration of the OpenSearch domain: Run the following AWS CLI command to get the configuration of the specific OpenSearch domain: 
    aws opensearchservice describe-elasticsearch-domain --domain-name YOUR_DOMAIN_NAME
  3. Update the domain configuration to enable fault tolerance: Run the following AWS CLI command to update the domain configuration and enable fault tolerance for data nodes: 
    aws opensearchservice update-elasticsearch-domain-config --domain-name YOUR_DOMAIN_NAME --elasticsearch-cluster-config '{"InstanceType": "m5.large.search", "InstanceCount": 2, "DedicatedMasterEnabled": false, "ZoneAwarenessEnabled": true}'
    In this command:
    • Replace YOUR_DOMAIN_NAME with the name of your OpenSearch domain.
    • Adjust the InstanceType and InstanceCount values as per your requirements.
    • Set ZoneAwarenessEnabled to true to enable fault tolerance across Availability Zones.
  4. Monitor the domain status: Run the following AWS CLI command to monitor the status of the OpenSearch domain until it is active: 
    aws opensearchservice describe-elasticsearch-domain --domain-name YOUR_DOMAIN_NAME
By following these steps and using the AWS CLI commands provided, you can enable fault tolerance for OpenSearch data nodes in AWS.
To remediate the misconfiguration of Opensearch Data Node not having fault tolerance in AWS OpenSearch using Python, follow these steps:
  1. Define the AWS OpenSearch domain configuration using the AWS SDK for Python (Boto3). Ensure that the domain has multiple data nodes for fault tolerance.
import boto3

client = boto3.client('es')

domain_name = 'your-opensearch-domain-name'

# Update the domain configuration to have multiple data nodes for fault tolerance
response = client.update_elasticsearch_domain_config(
    DomainName=domain_name,
    ElasticsearchClusterConfig={
        'InstanceType': 'm5.large.elasticsearch',
        'InstanceCount': 2,  # Set the number of data nodes for fault tolerance
        'DedicatedMasterEnabled': False,
        'ZoneAwarenessEnabled': True,
    }
)

print(response)
  1. Run the Python script to update the AWS OpenSearch domain configuration with fault tolerance enabled for data nodes.
  2. Verify the domain configuration in the AWS Management Console or by using the describe_elasticsearch_domain_config API to ensure that the fault tolerance settings have been applied successfully.
By following these steps, you can remediate the misconfiguration of Opensearch Data Node not having fault tolerance in AWS OpenSearch using Python.
I