OpenSearch Dedicated Master Enabled

Risk Level: Medium (should be achieved)

Rule ID: ES-004

Ensure that your Amazon OpenSearch clusters are using dedicated master nodes to improve their environmental stability by offloading all the management tasks from the cluster data nodes.

Reliability

Using Amazon OpenSearch dedicated master nodes to separate management tasks from index and search requests will improve the clusters ability to manage easily different types of workload and make them more resilient in production.

Note: Ensure that you allocate at least 3 dedicated master nodes for each OpenSearch cluster (domain) running in production. The default value for the number of master nodes is set to 3 but this value can be adjusted in the rule settings on the TrendAI Vision One™ Cloud Risk Management Dashboard.

Audit

To determine if your Amazon OpenSearch clusters are using dedicated master nodes, perform the following operations:

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
In the main navigation panel, under Dashboard, select Domains.
Click on the name (link) of the OpenSearch cluster that you want to examine.
Select the Cluster configuration tab and check the Dedicated master nodes status listed in the Cluster configuration section. If the Dedicated master nodes status is set to Enabled No, the selected Amazon OpenSearch cluster is not configured with dedicated mater nodes, therefore the load/search requests and the management tasks are all handled by the data nodes.
Repeat steps no. 4 and 5 for each Amazon OpenSearch cluster available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

Run list-domain-names command (OSX/Linux/UNIX) to list the name of each Amazon OpenSearch cluster (domain) available in the selected AWS region:
```
aws es list-domain-names
  --region us-east-1
  --query 'DomainNames[*].DomainName'
```
The command output should return the identifier (name) of each OpenSearch domain provisioned in the selected region:
```
[
    "trendmicro",
    "example"
]
```
Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to examine as the identifier parameter and custom query filters to describe the dedicated master nodes configuration status available for the selected cluster:
```
aws es describe-elasticsearch-domain
  --region us-east-1
  --domain-name trendmicro
  --query 'DomainStatus.ElasticsearchClusterConfig.DedicatedMasterEnabled'
```
The command output should return the requested configuration status (true for enabled, false for disabled)
```
false
```
If the value returned by the describe-elasticsearch-domain command output is false, the selected Amazon OpenSearch cluster is not configured to use dedicated mater nodes, therefore the load/search requests and the management tasks are handled by the cluster data nodes.
Repeat steps no. 3 and 4 for each Amazon OpenSearch cluster available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable dedicated master nodes for your Amazon OpenSearch clusters (domains), perform the following operations:

Using AWS CloudFormation

CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Enable and Configure Dedicated Master Nodes for OpenSearch Clusters",
	"Resources": {
		"OpenSearchDomain": {
			"Type":"AWS::OpenSearchService::Domain",
			"Properties": {
				"DomainName": "cc-opensearch-domain",
				"EngineVersion": "OpenSearch_1.1",
				"ClusterConfig": {
					"InstanceType": "t3.small.search",
					"InstanceCount": "2",
					"DedicatedMasterEnabled": true,
					"DedicatedMasterType": "t3.small.search",
					"DedicatedMasterCount": 3
				},
				"EBSOptions": {
					"EBSEnabled": true,
					"VolumeType": "gp2",
					"VolumeSize": "350"
				},
				"EncryptionAtRestOptions": {
					"Enabled": true
				},
				"AccessPolicies": {
					"Version":"2012-10-17",
					"Statement":[
					{
						"Effect": "Allow",
						"Principal": {
							"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
						},
						"Action":"es:*",
						"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
					}
					]
				}
			}
		}
	}
}

CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Description: Enable and Configure Dedicated Master Nodes for OpenSearch Clusters
	Resources:
		OpenSearchDomain:
		Type: AWS::OpenSearchService::Domain
		Properties:
			DomainName: cc-opensearch-domain
			EngineVersion: OpenSearch_1.1
			ClusterConfig:
			InstanceType: t3.small.search
			InstanceCount: '2'
			DedicatedMasterEnabled: true
			DedicatedMasterType: t3.small.search
			DedicatedMasterCount: 3
			EBSOptions:
			EBSEnabled: true
			VolumeType: gp2
			VolumeSize: '350'
			EncryptionAtRestOptions:
			Enabled: true
			AccessPolicies:
			Version: '2012-10-17'
			Statement:
				- Effect: Allow
				Principal:
					AWS: arn:aws:iam::123456789012:user/cc-opensearch-user
				Action: es:*
				Resource: arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*

Using Terraform (AWS Provider)

Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	region  = "us-east-1"
}

resource "aws_opensearch_domain" "opensearch-domain" {
	domain_name = "cc-opensearch-domain"
	engine_version = "OpenSearch_1.1"

	cluster_config {
		instance_type = "t3.small.search"
		instance_count = 2

		# Enable and Configure Dedicated Master Nodes for OpenSearch Clusters
		dedicated_master_enabled = true
		dedicated_master_type = "t3.small.search"
		dedicated_master_count = 3
	}

	ebs_options {
		ebs_enabled = true
		volume_size = 30
		volume_type = "gp2"
	}

	encrypt_at_rest {
	enabled = true
	}

	access_policies = <<POLICY
	{
		"Version": "2012-10-17",
		"Statement":[
			{
				"Effect": "Allow",
				"Principal": {
					"AWS": "arn:aws:iam::123456789012:user/cc-opensearch-user"
				},
				"Action":"es:*",
				"Resource": "arn:aws:es:us-east-1:123456789012:domain/cc-opensearch-domain/*"
			}
		]
	}
	POLICY

}

Using AWS Console

Sign in to the AWS Management Console.
Navigate to Amazon OpenSearch console at https://console.aws.amazon.com/esv3/.
In the main navigation panel, under Dashboard, select Domains.
Select the OpenSearch cluster that you want to reconfigure, choose Actions from the console top menu, and select Edit cluster configuration.
In the Dedicated master nodes section, perform the following actions:
1. Select the Enable dedicated master nodes checkbox to enable dedicated master nodes for the selected Amazon OpenSearch cluster.
2. Select the appropriate instance type from the Instance type dropdown list.
3. Select the number of compute nodes that you want to use from the Number of master nodes dropdown list. For production domains, 3 is recommended. 3 is also the default value for the number of dedicated master nodes and can be changed from the TrendAI Vision One™ Cloud Risk Management Dashboard console.
4. Choose Save changes to apply the configuration changes.
Repeat steps no. 3 – 5 to enable dedicated master nodes for other Amazon OpenSearch clusters available within the current AWS region.
Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Amazon OpenSearch cluster that you want to reconfigure as the identifier parameter to enable dedicated master nodes for the selected cluster:
```
aws es update-elasticsearch-domain-config
  --region us-east-1
  --domain-name trendmicro
  --elasticsearch-cluster-config DedicatedMasterEnabled=true,DedicatedMasterType="t3.small.search",DedicatedMasterCount=3
```

The command output should return the configuration information available for the reconfigured cluster:

{
    "DomainConfig": {
        "ElasticsearchVersion": {
            "Options": "7.9",
            "Status": {
                "CreationDate": "2021-12-21T14:44:37.462000+00:00",
                "UpdateDate": "2021-12-21T14:57:39.078000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "ElasticsearchClusterConfig": {
            "Options": {
                "InstanceType": "t3.small.search",
                "InstanceCount": 2,
                "DedicatedMasterEnabled": true,
                "ZoneAwarenessEnabled": false,
                "DedicatedMasterType": "t3.small.search",
                "DedicatedMasterCount": 3,
                "WarmEnabled": false,
                "ColdStorageOptions": {
                    "Enabled": false
                }
            }
        },
        "EBSOptions": {
            "Options": {
                "EBSEnabled": true,
                "VolumeType": "gp2",
                "VolumeSize": 30
            },
            "Status": {
                "CreationDate": "2021-12-21T14:44:37.462000+00:00",
                "UpdateDate": "2021-12-21T14:57:39.078000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },

        ...

        "SnapshotOptions": {
            "Options": {
                "AutomatedSnapshotStartHour": 0
            },
            "Status": {
                "CreationDate": "2021-12-21T14:44:37.462000+00:00",
                "UpdateDate": "2021-12-21T14:57:39.078000+00:00",
                "UpdateVersion": 5,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "VPCOptions": {
            "Options": {},
            "Status": {
                "CreationDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateVersion": 17,
                "State": "Active",
                "PendingDeletion": false
            }
        },
        "CognitoOptions": {
            "Options": {
                "Enabled": false
            },
            "Status": {
                "CreationDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateDate": "2021-12-21T22:17:52.963000+00:00",
                "UpdateVersion": 17,
                "State": "Active",
                "PendingDeletion": false
            }
        }
    }
}

Repeat steps no. 1 and 2 to enable dedicated master nodes for other Amazon OpenSearch clusters available in the selected AWS region.
Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

AWS Documentation
Amazon OpenSearch Service FAQs
What is Amazon OpenSearch Service?
Creating and managing Amazon OpenSearch Service domains

AWS Command Line Interface (CLI) Documentation
es
list-domain-names
describe-elasticsearch-domain
update-elasticsearch-domain-config

CloudFormation Documentation
Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) resource type reference

Terraform Documentation
AWS Provider

Publication date Dec 3, 2016

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS CloudFormation

Using Terraform (AWS Provider)

Using AWS Console

Using AWS CLI

References

Related Elasticsearch rules