Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Guided Walkthroughs
Configuration Packages
AI CloudAdvisor (Beta)
By Implementation
By Service Protected
Reference Guides
Other
Guided Walkthroughs
Configuration Packages
AI CloudAdvisor (Beta)
Configuration Stack0
By Service Protected
By Implementation
Service Control Policies
Config Rules
Auto Remediation Rules
Conformance Packs
Amazon GuardDuty
Amazon Inspector
AWS Security Hub
AWS Network Firewall
Route53 Resolver Security
Amazon Macie
S3 Bucket Policies
CloudWatch Alarms and Event Rules
AWS WAF
AWS Secrets Manager
AWS Systems Manager
Security Groups & NACLs
AWS KMS
AWS SSO
IAM Policies
VPC Endpoint Policies
CloudFormation Guard Rules
Load Balancers
RDS Event Subscriptions
AWS Resource Access Manager (RAM)Reference Guides
Other
CloudFormation Guard Rules
Cloudformation Guard Rules for AWS OpenSearch
CloudFormation guard rules template for AWS OpenSearch resources
The following rules are included:
- Encryption At-Rest Enabled
- Node-to-Node Encryption
- HTTPS Enforced
- Cognito Enabled
- Internal User Database Configured
- Application, Search Slow Logs, and Index Slow Logs enabled
- Audit Logs Enabled
- VPC Deployment
- Domain Has 3 Data Nodes (Or More)
CloudFormation Validation Tool: Syntax and Security validation for your templates online
let opensearch_domains = Resources.*[
Type == "AWS::OpenSearchService::Domain"
]
rule es_encrypted_storage when %opensearch_domains !empty {
%opensearch_domains {
Properties {
EncryptionAtRestOptions exists <<EncryptionAtRestOptions is not configured. (i.e. disabled)>>
when EncryptionAtRestOptions exists {
EncryptionAtRestOptions {
Enabled == true <<Encryption at rest is disabled.>>
}
}
}
}
}
rule es_encrypted_intransit when %opensearch_domains !empty {
%opensearch_domains {
Properties {
NodeToNodeEncryptionOptions exists <<NodeToNodeEncryptionOptions is not configured. (i.e. disabled)>>
when NodeToNodeEncryptionOptions exists {
NodeToNodeEncryptionOptions {
Enabled == true <<Encryption in transit is disabled.>>
}
}
}
}
}
rule es_require_https when %opensearch_domains !empty {
%opensearch_domains {
Properties {
DomainEndpointOptions exists <<DomainEndpointOptions is not configured. (i.e. disabled)>>
when DomainEndpointOptions exists {
DomainEndpointOptions {
EnforceHTTPS exists <<EnforceHTTPS is not configured. (i.e. disabled)>>
when EnforceHTTPS exists {
EnforceHTTPS == true <<Enforce HTTPS is disabled.>>
}
}
}
}
}
}
rule es_cognito_enabled when %opensearch_domains !empty {
%opensearch_domains {
Properties {
CognitoOptions exists <<CognitoOptions is not configured. (i.e. disabled)>>
when CognitoOptions exists {
CognitoOptions {
Enabled == true <<Cognito is disabled.>>
}
}
}
}
}
rule es_internal_user_database when %opensearch_domains !empty {
%opensearch_domains {
Properties {
AdvancedSecurityOptions exists <<AdvancedSecurityOptions is not configured. (i.e. disabled)>>
when AdvancedSecurityOptions exists {
AdvancedSecurityOptions {
InternalUserDatabaseEnabled exists <<InternalUserDatabaseEnabled is not configured. (i.e. disabled)>>
when InternalUserDatabaseEnabled exists {
InternalUserDatabaseEnabled == true <<Internal user database is disabled.>>
}
}
}
}
}
}
rule es_logging_enabled when %opensearch_domains !empty {
%opensearch_domains {
Properties {
LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
when LogPublishingOptions exists {
LogPublishingOptions {
SEARCH_SLOW_LOGS exists <<SEARCH_SLOW_LOGS is not configured. (i.e. disabled)>>
ES_APPLICATION_LOGS exists <<ES_APPLICATION_LOGS is not configured. (i.e. disabled)>>
INDEX_SLOW_LOGS exists << INDEX_SLOW_LOGS is not configured. (i.e. disabled)>>
when SEARCH_SLOW_LOGS exists
ES_APPLICATION_LOGS exists
INDEX_SLOW_LOGS exists {
SEARCH_SLOW_LOGS {
Enabled == true <<SEARCH_SLOW_LOGS is disabled.>>
}
ES_APPLICATION_LOGS {
Enabled == true <<ES_APPLICATION_LOGS is disabled.>>
}
INDEX_SLOW_LOGS {
Enabled == true <<INDEX_SLOW_LOGS is disabled.>>
}
}
}
}
}
}
}
rule es_audit_logging_enabled when %opensearch_domains !empty {
%opensearch_domains {
Properties {
LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
when LogPublishingOptions exists {
LogPublishingOptions {
AUDIT_LOGS exists <<AUDIT_LOGS is not configured. (i.e. disabled)>>
when AUDIT_LOGS exists {
AUDIT_LOGS {
Enabled == true <<AUDIT_LOGS is disabled.>>
}
}
}
}
}
}
}
rule es_in_vpc when %opensearch_domains !empty {
%opensearch_domains {
Properties {
VPCOptions exists <<VPCOptions is not configured. (i.e. disabled)>>
}
}
}
rule es_least_3_nodes when %opensearch_domains !empty {
%opensearch_domains {
Properties {
ClusterConfig exists <<ClusterConfig is not configured. (Instance count defaults to 1)>>
when ClusterConfig exists {
ClusterConfig {
InstanceCount exists <<InstanceCount is not configured. (Defaults to 1)>>
when InstanceCount exists {
InstanceCount >= 3 <<InstanceCount is less than 3.>>
}
}
}
}
}
}
Actions
Customize Template
* Required field
Upgrade to Premium for More Features
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
- 350+ security checks
- Well-architected reviews
- Detailed compliance reports
- Remediation templates
- Email summaries
- Learn more