Use the Conformity Knowledge Base AI to help improve your Cloud Posture

OpenSearch Version

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ES-007

Ensure that your Amazon OpenSearch domains are using the latest version of OpenSearch engine in order to adhere to security best practices, receive the newest OpenSearch features, and benefit from better performance and security.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Performance
efficiency
Reliability
Security
Sustainability

When your Amazon OpenSearch domains (clusters) are using the latest version of the OpenSearch engine, you benefit from new features and enhancements, better performance, better memory management and resource utilization, bug fixes and security patches.


Audit

To determine the OpenSearch engine version used for your Amazon OpenSearch domains, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch domain that you want to examine.

05 In the General information section, check the Version attribute value to determine the OpenSearch/ElasticSearch version installed on the selected domain. If the Upgrade available link is listed under the OpenSearch/ElasticSearch version installed, a new version of OpenSearch/ElasticSearch is available, therefore the selected Amazon OpenSearch domain should be upgraded to benefit from all the improvements that come with the latest version of OpenSearch/ElasticSearch.

06 Repeat steps no. 4 and 5 for each Amazon OpenSearch cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch cluster (domain) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the OpenSearch/ElasticSearch version installed on the selected domain:

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.ElasticsearchVersion'

04 The command output should return the OpenSearch/ElasticSearch version installed:

"OpenSearch_2.11"

05 Check the latest version of the OpenSearch/ElasticSearch engine supported by Amazon OpenSearch, listed on this page, and compare that with the version number returned at the previous step. If there is a newer engine version released and supported by OpenSearch service, the selected Amazon OpenSearch domain should be upgraded to benefit from all the improvements that come with the latest version of OpenSearch/ElasticSearch.

06 Repeat steps no. 3 – 5 for each Amazon OpenSearch cluster available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To upgrade the OpenSearch/ElasticSearch engine version for your Amazon OpenSearch domains to the latest(https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html#choosing-version) compatible version, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Upgrade OpenSearch/ElasticSearch Engine Version to Latest Version",
	"Resources": {
	"OpenSearchDomain": {
		"Type":"AWS::OpenSearchService::Domain",
		"Properties": {
			"DomainName": "cc-opensearch-domain",
			"EngineVersion": "OpenSearch_2.11",
			"ClusterConfig": {
				"InstanceType": "t3.small.search",
				"InstanceCount": "2"
			},
			"EBSOptions": {
				"EBSEnabled": true,
				"VolumeType": "gp2",
				"VolumeSize": "50"
			},
			"AccessPolicies": {
				"Version":"2012-10-17",
				"Statement":[
				{
					"Effect": "Allow",
					"Principal": {
						"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
					},
					"Action":"es:*",
					"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
				}
				]
			}
		}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Upgrade OpenSearch/ElasticSearch Engine Version to Latest Version
	Resources:
		OpenSearchDomain:
		Type: AWS::OpenSearchService::Domain
		Properties:
			DomainName: cc-opensearch-domain
			EngineVersion: OpenSearch_2.11
			ClusterConfig:
			InstanceType: t3.small.search
			InstanceCount: '2'
			EBSOptions:
			EBSEnabled: true
			VolumeType: gp2
			VolumeSize: '50'
			AccessPolicies:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:user/cc-opensearch-user
				Action: es:*
				Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"

	# Upgrade OpenSearch/ElasticSearch Engine Version to Latest Version
	engine_version = "OpenSearch_2.11"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 2
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 50
		volume_type = "gp2"
	}

	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement":[
			{
				"Effect": "Allow",
				"Principal": {
				"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
				},
				"Action":"es:*",
				"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
			}
		]
	}
	POLICY

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Select the OpenSearch domain that you want to reconfigure, choose Actions from the console top menu, and select Upgrade under Version upgrade.

05 In the Upgrade version configuration window, perform the following actions:

  1. Choose the latest version of OpenSearch/ElasticSearch from the Select upgrade version dropdown list. If the latest version of OpenSearch is selected, check the Enable compatibility mode checkbox.
  2. Under Action, choose Check upgrade eligibility to determine if the selected domain is eligible to upgrade. If the domain is eligible to upgrade, the Amazon OpenSearch console will return the following confirmation message: This domain is eligible for an upgrade from <old-version> to <new-version>.
  3. Under Action, choose Upgrade domain, type upgrade in the required field, and choose Upgrade to initiate the in-place upgrade for the selected OpenSearch domain. The upgrade process is irreversible and can't be paused or canceled. During an upgrade, you can't make configuration changes to the selected domain. The domain status will become Active once the upgrade process is completed.

06 Repeat steps no. 4 and 5 to upgrade the engine version for other Amazon OpenSearch domains available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run upgrade-elasticsearch-domain command (OSX/Linux/UNIX) with the --perform-check-only parameter to perform an upgrade eligibility check to the latest OpenSearch/Elasticsearch compatible version:

aws es upgrade-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --target-version "OpenSearch_2.11"
  --perform-check-only

02 If the specified domain is eligible to upgrade, the upgrade-elasticsearch-domain command should return the following output:

{
	"DomainName": "trendmicro",
	"TargetVersion": "OpenSearch_2.11",
	"PerformCheckOnly": true
}

03 If the selected Amazon OpenSearch domain is eligible to upgrade, run upgrade-elasticsearch-domain command (OSX/Linux/UNIX) without the --perform-check-only parameter to initiate the in-place upgrade for the selected Amazon OpenSearch domain. The upgrade process is irreversible and can't be paused or canceled. During an upgrade, you can't make configuration changes to the selected domain. The domain status will become "Active" once the upgrade process is completed:

aws es upgrade-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --target-version "OpenSearch_1.2"

04 The output should return the upgrade-elasticsearch-domain command request metadata:

{
	"DomainName": "trendmicro",
	"TargetVersion": "OpenSearch_2.11"
}

05 Repeat steps no. 1 – 4 to upgrade the engine version for other Amazon OpenSearch domains available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 12, 2017