Configuration template to provision an OpenSearch Domain (formerly Amazon Elasticsearch Domain), with settings such as VPC access, number of master and data nodes, encryption (at-rest and node-to-node), logging settings, and more.
A collection of AWS Security controls for Amazon OpenSearch (Formerly Amazon Elasticsearch). Controls include templates to provision Amazon OpenSearch domains, CloudWatch events and alarms for monitoring as well as Config rules. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform
This template creates an OpenSearch Service domain with fine-grained access control. The domain is configured with two data nodes and three dedicated master nodes. It has 10 GiB of storage and enables EBS. The access policy allows a specific IAM role to perform all actions on the domain. Advanced security options are enabled with an internal user database and a master user with a specified username and password stored in the Secret created in the template.
This template creates an OpenSearch Service domain with VPC options. It includes the configuration for the domain, VPC, subnet, and security group. The domain is associated with the specified VPC and subnet, and the security group allows inbound traffic on port 443.
This template creates an OpenSearch Service domain running OpenSearch 1.0 with two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the AWS account to make all HTTP requests to the domain.
This template creates an access policy for OpenSearch Serverless. The access policy allows a user to access the resources within a collection, providing full access to the specified collection and indexes. The access policy is associated with the user 'test-user'.
This template creates an OpenSearch Serverless collection named 'test-collection' with the type 'SEARCH'. It also creates a matching encryption policy for the collection. The encryption policy ensures the security of the test collection. The template specifies the name, type, and description of the collection, as well as the name, type, description, and policy of the encryption policy.
This template creates a security configuration for OpenSearch Serverless. It specifies a SAML provider named 'my-provider' with a custom group attribute 'ALLGroups'. The security configuration includes SAML metadata, user attribute, group attribute, and session timeout.
This template creates an OpenSearch Serverless network policy named 'logs-network-policy'. It provides public access to OpenSearch endpoints and OpenSearch Dashboards endpoints. The policy will apply to all collections with names that begin with 'logs'.
A Config rule that checks that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.
Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is COMPLIANT if a log is enabled for an Amazon ES domain. This rule is NON_COMPLIANT if logging is not configured.
Checks if Amazon OpenSearch Service domains have audit logging enabled. The rule is NON_COMPLIANT if an OpenSearch Service domain does not have audit logging enabled.
Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if 'instanceCount' is less than 3 or 'zoneAwarenessEnabled' is set to 'false'.
Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the `EncryptionAtRestOptions` field is not enabled.
Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if logging is not configured.