Determine if your Amazon OpenSearch clusters (domains) have the desired instance type(s) established by your organization based on the workload deployed. The desired OpenSearch instance type(s) must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
optimisation
Setting limits for the instance type(s) of the Amazon OpenSearch clusters provisioned in your AWS cloud account can help you to manage better your compute power, address internal compliance requirements, and prevent unexpected charges on your AWS bill.
Note 1: You can also limit your Amazon OpenSearch cluster instances to the desired instance type/class using AWS Organizations by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired OpenSearch instance type used as example in this conformity rule is c4.large.elasticsearch. To meet your own organizational requirements, you will need to configure this rule with your desired instance type.
Audit
To determine if the instances (nodes) provisioned within your OpenSearch clusters have the desired instance type, perform the following operations:
Remediation / Resolution
To ensure that the creation of your Amazon OpenSearch cluster instances (nodes) is limited to the desired instance type(s) only, perform the following operations:
Note: Creating a support case to request OpenSearch instance type limitations using the AWS Command Line Interface (AWS CLI) is not currently supported.References
- AWS Documentation
- https://aws.amazon.com/opensearch-service/faqs/
- What is Amazon OpenSearch Service?
- Service control policies (SCPs)
- AWS Command Line Interface (CLI) Documentation
- es
- list-domain-names
- describe-elasticsearch-domain