Guided Walkthroughs
Step-by-step configuration wizards for your environment
Dedicated Security Account
AWS Backup Strategy
VPC Connectivity Setup
Automated Patching
All Guides
CloudFormation guard rules template for AWS OpenSearch resources
The following rules are included:
let opensearch_domains = Resources.*[
Type == "AWS::OpenSearchService::Domain"
]
rule es_encrypted_storage when %opensearch_domains !empty {
%opensearch_domains {
Properties {
EncryptionAtRestOptions exists <<EncryptionAtRestOptions is not configured. (i.e. disabled)>>
when EncryptionAtRestOptions exists {
EncryptionAtRestOptions {
Enabled == true <<Encryption at rest is disabled.>>
}
}
}
}
}
rule es_encrypted_intransit when %opensearch_domains !empty {
%opensearch_domains {
Properties {
NodeToNodeEncryptionOptions exists <<NodeToNodeEncryptionOptions is not configured. (i.e. disabled)>>
when NodeToNodeEncryptionOptions exists {
NodeToNodeEncryptionOptions {
Enabled == true <<Encryption in transit is disabled.>>
}
}
}
}
}
rule es_require_https when %opensearch_domains !empty {
%opensearch_domains {
Properties {
DomainEndpointOptions exists <<DomainEndpointOptions is not configured. (i.e. disabled)>>
when DomainEndpointOptions exists {
DomainEndpointOptions {
EnforceHTTPS exists <<EnforceHTTPS is not configured. (i.e. disabled)>>
when EnforceHTTPS exists {
EnforceHTTPS == true <<Enforce HTTPS is disabled.>>
}
}
}
}
}
}
rule es_cognito_enabled when %opensearch_domains !empty {
%opensearch_domains {
Properties {
CognitoOptions exists <<CognitoOptions is not configured. (i.e. disabled)>>
when CognitoOptions exists {
CognitoOptions {
Enabled == true <<Cognito is disabled.>>
}
}
}
}
}
rule es_internal_user_database when %opensearch_domains !empty {
%opensearch_domains {
Properties {
AdvancedSecurityOptions exists <<AdvancedSecurityOptions is not configured. (i.e. disabled)>>
when AdvancedSecurityOptions exists {
AdvancedSecurityOptions {
InternalUserDatabaseEnabled exists <<InternalUserDatabaseEnabled is not configured. (i.e. disabled)>>
when InternalUserDatabaseEnabled exists {
InternalUserDatabaseEnabled == true <<Internal user database is disabled.>>
}
}
}
}
}
}
rule es_logging_enabled when %opensearch_domains !empty {
%opensearch_domains {
Properties {
LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
when LogPublishingOptions exists {
LogPublishingOptions {
SEARCH_SLOW_LOGS exists <<SEARCH_SLOW_LOGS is not configured. (i.e. disabled)>>
ES_APPLICATION_LOGS exists <<ES_APPLICATION_LOGS is not configured. (i.e. disabled)>>
INDEX_SLOW_LOGS exists << INDEX_SLOW_LOGS is not configured. (i.e. disabled)>>
when SEARCH_SLOW_LOGS exists
ES_APPLICATION_LOGS exists
INDEX_SLOW_LOGS exists {
SEARCH_SLOW_LOGS {
Enabled == true <<SEARCH_SLOW_LOGS is disabled.>>
}
ES_APPLICATION_LOGS {
Enabled == true <<ES_APPLICATION_LOGS is disabled.>>
}
INDEX_SLOW_LOGS {
Enabled == true <<INDEX_SLOW_LOGS is disabled.>>
}
}
}
}
}
}
}
rule es_audit_logging_enabled when %opensearch_domains !empty {
%opensearch_domains {
Properties {
LogPublishingOptions exists <<LogPublishingOptions is not configured. (i.e. disabled)>>
when LogPublishingOptions exists {
LogPublishingOptions {
AUDIT_LOGS exists <<AUDIT_LOGS is not configured. (i.e. disabled)>>
when AUDIT_LOGS exists {
AUDIT_LOGS {
Enabled == true <<AUDIT_LOGS is disabled.>>
}
}
}
}
}
}
}
rule es_in_vpc when %opensearch_domains !empty {
%opensearch_domains {
Properties {
VPCOptions exists <<VPCOptions is not configured. (i.e. disabled)>>
}
}
}
rule es_least_3_nodes when %opensearch_domains !empty {
%opensearch_domains {
Properties {
ClusterConfig exists <<ClusterConfig is not configured. (Instance count defaults to 1)>>
when ClusterConfig exists {
ClusterConfig {
InstanceCount exists <<InstanceCount is not configured. (Defaults to 1)>>
when InstanceCount exists {
InstanceCount >= 3 <<InstanceCount is less than 3.>>
}
}
}
}
}
}