Guided Walkthroughs

Configuration Packages

By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSAWS SSOIAM PoliciesVPC Endpoint PoliciesCloudFormation Guard RulesLoad BalancersRDS Event SubscriptionsAWS Resource Access Manager (RAM)

By Service Protected

Reference Guides

Other

CloudFormation Guard Rules

Cloudformation Guard Rules for AWS OpenSearch

CloudFormation guard rules template for AWS OpenSearch resources

The following rules are included: 

  • Encryption At-Rest Enabled
  • Node-to-Node Encryption
  • HTTPS Enforced
  • Cognito Enabled
  • Internal User Database Configured
  • Application, Search Slow Logs, and Index Slow Logs enabled
  • Audit Logs Enabled
  • VPC Deployment
  • Domain Has 3 Data Nodes (Or More)
CloudFormation Validation Tool: Syntax and Security validation for your templates online

let opensearch_domains = Resources.*[
	Type == "AWS::OpenSearchService::Domain"
]

rule es_encrypted_storage when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			EncryptionAtRestOptions exists <<EncryptionAtRestOptions is not configured. (i.e. disabled)>>
			when EncryptionAtRestOptions exists {
				EncryptionAtRestOptions {
					Enabled == true <<Encryption at rest is disabled.>>
				}
			}
		}
	}
}

rule es_encrypted_intransit when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			NodeToNodeEncryptionOptions exists <<NodeToNodeEncryptionOptions is not configured. (i.e. disabled)>>
			when NodeToNodeEncryptionOptions exists {
				NodeToNodeEncryptionOptions {
					Enabled == true <<Encryption in transit is disabled.>>
				}
			}
		}
	}
}

rule es_require_https when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			DomainEndpointOptions exists <<DomainEndpointOptions is not configured. (i.e. disabled)>>
			when DomainEndpointOptions exists {
				DomainEndpointOptions {
					EnforceHTTPS exists <<EnforceHTTPS is not configured. (i.e. disabled)>>
					when EnforceHTTPS exists {
						EnforceHTTPS == true <<Enforce HTTPS is disabled.>>
					}
				}
			}
		}
	}
}

rule es_cognito_enabled when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			CognitoOptions exists <<CognitoOptions is not configured. (i.e. disabled)>>
			when CognitoOptions exists {
				CognitoOptions {
					Enabled == true <<Cognito is disabled.>>
				}
			}
		}
	}
}

rule es_internal_user_database when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			AdvancedSecurityOptions exists <<AdvancedSecurityOptions is not configured. (i.e. disabled)>>
			when AdvancedSecurityOptions exists {
				AdvancedSecurityOptions {
					InternalUserDatabaseEnabled exists <<InternalUserDatabaseEnabled is not configured. (i.e. disabled)>>
					when InternalUserDatabaseEnabled exists {
						InternalUserDatabaseEnabled == true <<Internal user database is disabled.>>
					}
				}
			}
		}
	}
}

rule es_logging_enabled when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
			when LogPublishingOptions exists {
				LogPublishingOptions {
					SEARCH_SLOW_LOGS exists <<SEARCH_SLOW_LOGS is not configured. (i.e. disabled)>>
					ES_APPLICATION_LOGS exists <<ES_APPLICATION_LOGS is not configured. (i.e. disabled)>>
					INDEX_SLOW_LOGS exists << INDEX_SLOW_LOGS is not configured. (i.e. disabled)>>

					when SEARCH_SLOW_LOGS exists
					ES_APPLICATION_LOGS exists
					INDEX_SLOW_LOGS exists {
						SEARCH_SLOW_LOGS {
							Enabled == true <<SEARCH_SLOW_LOGS is disabled.>>
						}
						ES_APPLICATION_LOGS {
							Enabled == true <<ES_APPLICATION_LOGS is disabled.>>
						}
						INDEX_SLOW_LOGS {
							Enabled == true <<INDEX_SLOW_LOGS is disabled.>>
						}
					}
				}
			}
		}
	}
}

rule es_audit_logging_enabled when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
			when LogPublishingOptions exists {
				LogPublishingOptions {
					AUDIT_LOGS exists <<AUDIT_LOGS is not configured. (i.e. disabled)>>

					when AUDIT_LOGS exists {
						AUDIT_LOGS {
							Enabled == true <<AUDIT_LOGS is disabled.>>
						}
					}
				}
			}
		}
	}
}

rule es_in_vpc when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			VPCOptions exists <<VPCOptions is not configured. (i.e. disabled)>>
		}
	}
}

rule es_least_3_nodes when %opensearch_domains !empty {
	%opensearch_domains {
		Properties {
			ClusterConfig exists <<ClusterConfig is not configured. (Instance count defaults to 1)>>
			when ClusterConfig exists {
				ClusterConfig {
					InstanceCount exists <<InstanceCount is not configured. (Defaults to 1)>>
					when InstanceCount exists {
						InstanceCount >= 3 <<InstanceCount is less than 3.>>
					}
				}
			}
		}
	}
}


Actions



Customize Template

* Required field

Upgrade to Premium for More Features
Sign up

Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
Configuration Packages
Pre-built packages for common configuration
Common SCPs
CloudFormation Guard Rules
Auto Remediation Rules
IAM Monitoring & Compliance
All Packages
Automated Assessments
  • 350+ security checks
  • Well-architected reviews
  • Detailed compliance reports
  • Remediation templates
  • Email summaries
  • Learn more