Configuration template to provision an OpenSearch Domain (formerly Amazon Elasticsearch Domain), with settings such as VPC access, number of master and data nodes, encryption (at-rest and node-to-node), logging settings, and more.

This template creates an OpenSearch Service domain with fine-grained access control. The domain is configured with two data nodes and three dedicated master nodes. It has 10 GiB of storage and enables EBS. The access policy allows a specific IAM role to perform all actions on the domain. Advanced security options are enabled with an internal user database and a master user with a specified username and password stored in the Secret created in the template.

This template creates an OpenSearch Service domain with VPC options. It includes the configuration for the domain, VPC, subnet, and security group. The domain is associated with the specified VPC and subnet, and the security group allows inbound traffic on port 443.

This template creates an OpenSearch Service domain running OpenSearch 1.0 with two data nodes and three dedicated master nodes. The domain has 40 GiB of storage and enables log publishing for application logs, search slow logs, and index slow logs. The access policy permits the root user for the AWS account to make all HTTP requests to the domain.

This template creates an access policy for OpenSearch Serverless. The access policy allows a user to access the resources within a collection, providing full access to the specified collection and indexes. The access policy is associated with the user 'test-user'.

This template creates an OpenSearch Serverless collection named 'test-collection' with the type 'SEARCH'. It also creates a matching encryption policy for the collection. The encryption policy ensures the security of the test collection. The template specifies the name, type, and description of the collection, as well as the name, type, description, and policy of the encryption policy.

This template creates a security configuration for OpenSearch Serverless. It specifies a SAML provider named 'my-provider' with a custom group attribute 'ALLGroups'. The security configuration includes SAML metadata, user attribute, group attribute, and session timeout.

This template creates an OpenSearch Serverless encryption policy named 'logs-encryption-policy' with an AWS owned key. The policy will apply to all future collections with names that begin with 'logs'.

This template creates an OpenSearch Serverless network policy named 'logs-network-policy'. It provides public access to OpenSearch endpoints and OpenSearch Dashboards endpoints. The policy will apply to all collections with names that begin with 'logs'.

This template creates an OpenSearch Serverless-managed interface VPC endpoint named 'test-vpcendpoint'. The endpoint is associated with one subnet and one security group.

This template creates an Amazon OpenSearch ingestion pipeline with logging enabled and configurable units. It also creates a corresponding CloudWatch log group and provides the pipeline ARN and ingest endpoint URLs as outputs.

A config rule that checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled

A config rule that checks whether whether the ElasticSearch Domains are in VPC and not as a public endpoint

A Config rule that checks that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is disabled on the domain.

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is COMPLIANT if a log is enabled for an Amazon ES domain. This rule is NON_COMPLIANT if logging is not configured.

Checks if Amazon OpenSearch Service domains have fine-grained access control enabled. The rule is NON_COMPLIANT if AdvancedSecurityOptions is not enabled for the OpenSearch Service domain.

Checks if Amazon OpenSearch Service domains have audit logging enabled. The rule is NON_COMPLIANT if an OpenSearch Service domain does not have audit logging enabled.

Checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if 'instanceCount' is less than 3 or 'zoneAwarenessEnabled' is set to 'false'.

Checks if Amazon OpenSearch Service domains have encryption at rest configuration enabled. The rule is NON_COMPLIANT if the `EncryptionAtRestOptions` field is not enabled.

Checks whether connections to OpenSearch domains are using HTTPS. The rule is NON_COMPLIANT if the Amazon OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in '`tlsPolicies`'.

Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public.

Checks if Amazon OpenSearch Service domains are configured to send logs to Amazon CloudWatch Logs. The rule is NON_COMPLIANT if logging is not configured.

Check if Amazon OpenSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the node-to-node encryption is not enabled on the domain