Use the Conformity Knowledge Base AI to help improve your Cloud Posture

OpenSearch Desired Instance Type(s)

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ES-009

Determine if your Amazon OpenSearch clusters (domains) have the desired instance type(s) established by your organization based on the workload deployed. The desired OpenSearch instance type(s) must be defined in the conformity rule settings, on the Trend Cloud One™ – Conformity account console.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Cost
optimisation

Setting limits for the instance type(s) of the Amazon OpenSearch clusters provisioned in your AWS cloud account can help you to manage better your compute power, address internal compliance requirements, and prevent unexpected charges on your AWS bill.

Note 1: You can also limit your Amazon OpenSearch cluster instances to the desired instance type/class using AWS Organizations by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.

Note 2: The desired OpenSearch instance type used as example in this conformity rule is c4.large.elasticsearch. To meet your own organizational requirements, you will need to configure this rule with your desired instance type.


Audit

To determine if the instances (nodes) provisioned within your OpenSearch clusters have the desired instance type, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Desired Instance Type(s) conformity rule settings and identify the desired instance type(s) configured for Amazon OpenSearch clusters.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.

04 In the main navigation panel, under Dashboard, select Domains.

05 Click on the name (link) of the OpenSearch cluster that you want to examine.

06 In the General information section, check the Instance type attribute value listed in the Data nodesand Dedicated master nodes categories, to determine the instance type used by the selected OpenSearch cluster. If the instance type is different than the one(s) allowed by your organization and identified at step no. 1, the selected Amazon OpenSearch cluster (domain) was not launched/configured using the desired instance type.

07 Repeat steps no. 5 and 6 for each OpenSearch cluster provisioned within the current AWS region.

08 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch cluster (domain) available in the selected AWS region:

aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'

02 The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:

[
	"trendmicro",
	"cloudconformity"
]

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to return the type of data instances and dedicated master instances, provisioned for the selected cluster:

aws es describe-elasticsearch-domain
  --domain-name trendmicro
  --region us-east-1
  --query 'DomainStatus.ElasticsearchClusterConfig.[{"DataInstanceType":InstanceType,"DedicatedMasterType":DedicatedMasterType}]'

04 The command output should return the instance type configured for the selected OpenSearch cluster:

[
	{
		"DataInstanceType": "c4.large.elasticsearch",
		"DedicatedMasterType": "c4.large.elasticsearch"
	}
]

Compare the instance type returned by the describe-elasticsearch-domain command output with the one(s) allowed by your organization, identified at step no. 1. If the verified cluster instance type is not listed in the conformity rule configuration settings, the selected Amazon OpenSearch cluster (domain) was not launched/configured using the desired instance type.

05 Repeat steps no. 3 and 4 for each OpenSearch cluster available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other AWS regions.

Remediation / Resolution

To ensure that the creation of your Amazon OpenSearch cluster instances (nodes) is limited to the desired instance type(s) only, perform the following operations:

Note: Creating a support case to request OpenSearch instance type limitations using the AWS Command Line Interface (AWS CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center console at https://console.aws.amazon.com/support/.

03 In the Open support cases section, choose Create case to initiate the request process.

04 On the Create case page, perform the following operations:

  1. Select Account and billing support option.
  2. Select Account from the Type dropdown list.
  3. Select Other Account Issues from the Category dropdown list.
  4. Provide the request subject in the Subject box, e.g. "Limit the creation of Amazon OpenSearch cluster instances to specific instance type(s) only".
  5. For Description, provide a concise description where you list the desired instance types and explain why you need to deny the creation of Amazon OpenSearch clusters with unwanted instance types (e.g. for compliance purposes). This will help the AWS support team to evaluate your request.
  6. For Contact options, choose your preferred correspondence language from the Preferred contact language dropdown list, then select a preferred contact method that AWS support team can use to respond to your request from the Contact methods section.
  7. Choose Submit to send your request to Amazon Web Services. A customer support representative should contact you shortly.

References

Publication date Sep 28, 2017