Idle OpenSearch Domains

Risk Level: High (not acceptable risk)

Rule ID: ES-022

Identify any Amazon OpenSearch clusters (domains) that appear to be idle and delete them to help lower the cost of your monthly AWS bill. By default, an OpenSearch cluster is considered "idle" when meets the following criteria (to declare the instance "idle" both conditions must be true):

- The average CPU Utilization has been less than 2% for the last 7 days.

The CloudWatch metrics used to detect idle Amazon OpenSearch clusters are:
- CPUUtilization – the percentage of CPU resources used for the data nodes running within the cluster (Units: Percentage).

Note 1: Knowing the role and the owner of an Amazon OpenSearch cluster (domain) before you take the decision to remove it from your account is very important. For this rule Trend Cloud One™ – Conformity assumes that your OpenSearch domains are tagged with "Role" and "Owner" tags which provide visibility into their usage profile and help you decide whether it's safe or not to terminate these resources.

Note 2: You can change the default threshold for this rule on the Conformity account console and set your own value for the CPU usage and the usage time range (days) for each condition in order to configure the domain idleness.

Note 3: If the Amazon OpenSearch domain selected for the checkup is needed within your application stack, you can suppress (disable) the conformity rule check for the resource from the Trend Cloud One™ – Conformity console.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Cost
optimisation

Idle Amazon OpenSearch domains represent a good candidate for reducing your monthly AWS costs. Regularly checking your OpenSearch domains for CPU usage will help you efficiently detect and remove any idle OpenSearch resources from your AWS account in order to avoid accumulating unnecessary charges.

Audit

To identify any idle Amazon OpenSearch domains available within your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch domain that you want to examine.

05 Select the Cluster health tab and click on the CPU utilization graph thumbnail displayed in the Data nodes section to open the panel with the CPU usage. On the CPU utilization (CPUUtilization) panel, set the following parameters:

From the Period dropdown list, select 1 Hour.
From the Time range list, select 1w (1 week).
From the Statistic dropdown list, select Average.

Once the monitoring data is loaded, check the CPU usage recorded in the last 7 days. If the average CPU usage (percent) has been less than 2%, the selected Amazon OpenSearch cluster qualifies as candidate for the idle domain. Choose x (close) to close the panel.

06 Determine the domain role and owner within your application stack by checking the Role and Owner tags values assigned to the selected OpenSearch domain in order to decide whether or not it's safe to delete the resource. To check for the required tags, perform the following actions:

Select the Tags tab to access the tag sets configured for the selected OpenSearch domain.
Check the Role tag value, available in the Value column, or any Role-like tag value that can provide information about the usage profile of the OpenSearch domain in order to decide if the resource can be deleted or not.
Check the Owner tag value, available in the Value column, or any Owner-like tag value that can provide the contact information (name, email, phone number, etc.) of the resource owner in order to get the confirmation to delete or not the selected OpenSearch resource.

07 If all the conditions outlined at step no. 5 and 6 are met, the selected Amazon OpenSearch domain is considered idle and can be terminated in order to stop incurring charges for the OpenSearch cluster.

08 Repeat steps no. 4 – 7 for each Amazon OpenSearch domain available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch domain available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run get-metric-statistics command (OSX/Linux/UNIX) to obtain the statistics recorded by Amazon CloudWatch for the CPUUtilization metric, representing the CPU usage for the selected OpenSearch domain (cluster). Change the--start-time (start recording date) and --end-time (stop recording date) parameters value to choose your own time frame for recording the CPUUtilization metric usage. Set the --period parameter value to define the granularity (in seconds) of the returned datapoints, based on your requirements. A period can be as short as 1 minute (60 seconds) or as long as 1 day (86400 seconds). The following command example returns the average CPU usage for a OpenSearch domain named "trendmicro", usage data captured over a time period of 7 days, using 1-hour period as the granularity for the returned datapoints:

aws cloudwatch get-metric-statistics
  --region us-east-1
  --metric-name CPUUtilization
  --start-time 2017-04-05T08:46:05
  --end-time 2017-04-12T08:46:05
  --period 3600
  --namespace AWS/ES
  --statistics Average
  --dimensions Name=DomainName,Value=trendmicro

04 The command output should return the CPUUtilization usage details requested:

{
    "Datapoints": [
        {
            "Timestamp": "2017-04-05T08:46:05Z",
            "Average": 0.031533333333333333,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-05T09:46:05Z",
            "Average": 0.033499999999999995,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-05T10:46:05Z",
            "Average": 0.10425,
            "Unit": "Percent"
        },

        ...

        {
            "Timestamp": "2017-04-12T05:46:05Z",
            "Average": 0.030999999999999993,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-12T06:46:05Z",
            "Average": 0.02833333333333333,
            "Unit": "Percent"
        },
        {
            "Timestamp": "2017-04-12T07:46:05Z",
            "Average": 0.02783333333333333,
            "Unit": "Percent"
        }
    ],
    "Label": "CPUUtilization"
}

If the average CPU usage (percent) has been less than 2%, the selected Amazon OpenSearch cluster qualifies as candidate for the idle domain.

05 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the selected OpenSearch domain as the identifier parameter and custom query filters to describe the domain's ARN:

aws es describe-elasticsearch-domain
  --domain-name trendmicro
  --region us-east-1
  --query 'DomainStatus.ARN'

06 The command output should return the requested OpenSearch domain ARN:

"arn:aws:es:us-east-1:123456789012:domain/trendmicro"

07 Run list-tags command (OSX/Linux/UNIX) using the domain ARN returned at the previous step as the identifier parameter to describe the tags applied to the selected OpenSearch domain (cluster):

aws es list-tags
  --region us-east-1
  --arn "arn:aws:es:us-east-1:123456789012:domain/trendmicro"

08 The command output should return the tag sets (key-value pairs) defined for the selected domain. The Roleand the Ownertags returned and their values (highlighted) can be used to determine the resource role within the application stack and to contact the domain owner for more information in order to decide if the OpenSearch resource can be deleted or not:

{
    "TagList": [
        {
            "Value": "dev-os-cluster",
            "Key": "Role"
        },
        {
            "Value": "trendmicro.com",
            "Key": "Owner"
        }
    ]
}

09 If the data returned for the steps no. 3 – 8 satisfy the conditions set by the conformity rule (domain owner, domain role, and CPU usage), the selected Amazon OpenSearch domain is considered idle and can be terminated in order to stop incurring charges for the OpenSearch cluster.

10 Repeat steps no. 3 – 9 for each Amazon OpenSearch domain available in the selected AWS region.

11 Change the AWS cloud region by updating the **--region** command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

Option 1: Delete idle OpenSearch domain. To remove idle Amazon OpenSearch domain from your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Select the Amazon OpenSearch domain that you want to remove and choose Delete from the console top menu.

05 In the Delete domain? confirmation box, type the name of the idle domain in the required field, then choose Delete to remove the selected OpenSearch domain from your AWS cloud account.

06 Repeat steps no. 4 and 5 for each idle Amazon OpenSearch domain that you want to delete, available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run delete-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the idle domain as the identifier parameter, to remove the specified Amazon OpenSearch domain (cluster) from your AWS cloud account:

aws es delete-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro

02 The command output should return the delete-elasticsearch-domain command request metadata:

{
    "DomainStatus": {
        "DomainId": "123456789012/trendmicro",
        "DomainName": "trendmicro",
        "ARN": "arn:aws:es:us-east-1:123456789012:domain/trendmicro",
        "Created": true,
        "Deleted": true,
        "Endpoint": "search-trendmicro-abcd1234abcd1234abcd.us-east-1.es.amazonaws.com",
        "Processing": true,
        "UpgradeProcessing": false,
        "ElasticsearchVersion": "7.9",
        "ElasticsearchClusterConfig": {
            "InstanceType": "t3.small.elasticsearch",
            "InstanceCount": 3,
            "DedicatedMasterEnabled": false,
            "ZoneAwarenessEnabled": false,
            "WarmEnabled": false,
            "ColdStorageOptions": {
                "Enabled": false
            }
        },
        "EBSOptions": {
            "EBSEnabled": true,
            "VolumeType": "gp2",
            "VolumeSize": 30
        },
        "SnapshotOptions": {},
        "CognitoOptions": {
            "Enabled": false
        },
        "EncryptionAtRestOptions": {
            "Enabled": false
        },
        "NodeToNodeEncryptionOptions": {
            "Enabled": false
        },
        "AdvancedOptions": {
            "indices.fielddata.cache.size": "",
            "override_main_response_version": "false",
            "rest.action.multi.allow_explicit_index": "false"
        },
        "ServiceSoftwareOptions": {
            "CurrentVersion": "R20211203-P2",
            "NewVersion": "",
            "UpdateAvailable": false,
            "Cancellable": false,
            "UpdateStatus": "COMPLETED",
            "Description": "There is no software update available for this domain.",
            "AutomatedUpdateDate": "2021-12-15T22:07:00+00:00",
            "OptionalDeployment": false
        },
        "DomainEndpointOptions": {
            "EnforceHTTPS": false,
            "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07",
            "CustomEndpointEnabled": false
        },
        "AdvancedSecurityOptions": {
            "Enabled": false,
            "InternalUserDatabaseEnabled": false
        },
        "AutoTuneOptions": {
            "State": "ENABLE_IN_PROGRESS"
        }
    } 
}

03 Repeat steps no. 1 and 2 for each idle Amazon OpenSearch domain that you want to remove, available in the selected AWS region.

04 Change the AWS cloud region by updating the **--region** command parameter value and repeat the Remediation process for other regions.

Option 2: Disable the conformity rule check. If the selected idle OpenSearch domain is needed (i.e. the resource role within your application stack is important), you should turn off the rule check for the selected domain from your Trend Cloud One™ – Conformity account console.

References

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
list-tags
delete-elasticsearch-domain
cloudwatch
get-metric-statistics

Publication date May 30, 2023

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related Elasticsearch rules