Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

OpenSearch Zone Awareness Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ES-002

Ensure that cross-zone replication (Zone Awareness) is enabled for your Amazon OpenSearch clusters to increase the cluster availability by allocating new data nodes and replicating the data across two or three Availability Zones (AZs) in the same AWS region in order to prevent data loss and minimize downtime in the event of node or data center (AZ) failure.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Amazon OpenSearch Zone Awareness promotes fault tolerance by distributing your OpenSearch cluster data nodes across multiple Availability Zones within the same AWS region.

Note: Once the Amazon OpenSearch cross-zone replication is enabled, you can use the native OpenSearch API to replicate the data for your clusters by creating replica shards.

Audit

To determine if cross-zone replication is enabled for your Amazon OpenSearch clusters, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Click on the name (link) of the OpenSearch cluster that you want to examine.

05 Select the Cluster configuration tab and check the Availability Zones attribute value available in the Data nodes section. If the Availability Zones attribute value is set to 1-AZ (i.e. one Availability Zone), the cluster cross-zone replication is not enabled, therefore the current configuration of the selected Amazon OpenSearch cluster is not fault tolerant.

06 Repeat steps no. 4 and 5 for each Amazon OpenSearch cluster available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch cluster (domain) available in the selected AWS region: 

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region: 

[
    "trendmicro",
    "cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to determine if Zone Awareness is enabled for the selected cluster: 

aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.ElasticsearchClusterConfig.ZoneAwarenessEnabled'

04 The command output should return the requested configuration status (true for enabled, false for disabled) 

false

If the value returned by the describe-elasticsearch-domain command output is false, the cluster cross-zone replication is not enabled, therefore the current configuration of the selected Amazon OpenSearch cluster is prone to service downtime and data loss in the event of a node/AZ failure.

05 Repeat steps no. 3 and 4 for each Amazon OpenSearch cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable cross-zone replication (Zone Awareness) for your Amazon OpenSearch clusters, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable Zone Awareness (Cross-Zone Replication)",
	"Resources": {
	"OpenSearchDomain": {
		"Type":"AWS::OpenSearchService::Domain",
		"Properties": {
			"DomainName": "cc-opensearch-domain",
			"EngineVersion": "OpenSearch_1.0",
			"ClusterConfig": {
				"InstanceType": "t3.small.search",
				"InstanceCount": "2",
				"ZoneAwarenessEnabled": true,
				"ZoneAwarenessConfig": {
					"AvailabilityZoneCount": 2
				}
			},
			"EBSOptions": {
				"EBSEnabled": true,
				"VolumeSize": "30",
				"VolumeType": "gp2"
			},
			"EncryptionAtRestOptions": {
				"Enabled": true
			},
			"AccessPolicies": {
				"Version":"2012-10-17",
				"Statement":[
				{
					"Effect": "Allow",
					"Principal": {
						"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
					},
					"Action":"es:*",
					"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
				}
				]
			}
		}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable Zone Awareness (Cross-Zone Replication)
	Resources:
		OpenSearchDomain:
		Type: AWS::OpenSearchService::Domain
		Properties:
			DomainName: cc-opensearch-domain
			EngineVersion: OpenSearch_1.0
			ClusterConfig:
			InstanceType: t3.small.search
			InstanceCount: '2'
			ZoneAwarenessEnabled: true
			ZoneAwarenessConfig:
				AvailabilityZoneCount: 2
			EBSOptions:
			EBSEnabled: true
			VolumeSize: '30'
			VolumeType: gp2
			EncryptionAtRestOptions:
			Enabled: true
			AccessPolicies:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:user/cc-opensearch-user
				Action: es:*
				Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"
	engine_version = "OpenSearch_1.0"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 2

		# Enable Zone Awareness (Cross-Zone Replication)
		zone_awareness_enabled = true
	}

	zone_awareness_config {
		availability_zone_count = 2
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 30
		volume_type = "gp2"
	}

	encrypt_at_rest {
		enabled = true
	}

	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement":[
			{
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
				},
				"Action":"es:*",
				"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
			}
		]
	}
	POLICY

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

03 In the main navigation panel, under Dashboard, select Domains.

04 Select the OpenSearch cluster that you want to reconfigure, choose Actions from the console top menu, and select Edit cluster configuration.

05 In the Data nodes section, perform the following operations:

  1. For Availability Zones, select 2-AZ to replicate the cluster data across two Availability Zones or 3-AZ to replicate the data across three Availability Zones.
  2. For Number of nodes, choose instances in multiples of two if you selected 2-AZ at the previous step or instances in multiples of three if 3-AZ was selected.
  3. Choose Save changes to apply the configuration changes.

06 Repeat steps no. 3 – 5 to enable and configure cross-zone replication for other Amazon OpenSearch clusters available within the current AWS region.

07 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to enable cross-zone replication for the selected OpenSearch cluster. The following command request example enables cluster data replication across two Availability Zones: 

aws es update-elasticsearch-domain-config
  --domain-name trendmicro
  --region us-east-1
  --elasticsearch-cluster-config InstanceType=m4.large.elasticsearch,InstanceCount=2,ZoneAwarenessEnabled=true,ZoneAwarenessConfig={AvailabilityZoneCount=2}

02 The command output should return the configuration information available for the reconfigured cluster: 

{
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2021-12-21T14:44:37.462000+00:00",
                "UpdateDate": "2021-12-21T14:57:39.078000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "m4.large.elasticsearch",
                "InstanceCount": 2,
                "DedicatedMasterEnabled": false,
                "ZoneAwarenessEnabled": true,
                "ZoneAwarenessConfig": {
                    "AvailabilityZoneCount": 2
                },
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 30
            },
            "Status": {
                "CreationDate": "2021-12-21T14:44:37.462000+00:00",
                "UpdateDate": "2021-12-21T14:57:39.078000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2021-12-21T14:44:37.462000+00:00",
                "UpdateDate": "2021-12-21T14:57:39.078000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "VPCOptions": {
            "Options": {},
            "Status": {
                "CreationDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateVersion": 17,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateVersion": 17,
                "State": "Active",
                "PendingDeletion": false
            }
        }
    }
}

03 Repeat steps no. 1 and 2 to enable and configure cross-zone replication for other Amazon OpenSearch clusters available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Dec 3, 2016

Related Elasticsearch rules