Open menu
-->

AWS Elasticsearch Desired Instance Type

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security
Cost
optimisation

Risk level: Medium (should be achieved)

Determine if the Elasticsearch (ES) instances (including dedicated master instances) provisioned in your AWS account have the desired instance type established by your organization based on the workload deployed. Cloud Conformity provides you with the ability to define the desired Elasticsearch instance types based on your workload requirements upon enabling this conformity rule.

Setting limits for the type of Amazon Elasticsearch instances provisioned in your AWS account will help you address organizational compliance requirements and prevent unexpected charges on your AWS bill. Note 1: You can also limit your Elasticsearch cluster instances to the desired instance type using AWS Organizations service by implementing your own Service Control Policy on the master account. A Service Control Policy (SCP) is a type of policy that you can use to manage your organization. SCPs enable you to restrict what resources, services and actions the users, groups, and roles in those AWS accounts can use.
Note 2: The desired Elasticsearch instance type used as example within this rule is c4.large.elasticsearch. To meet your organizational requirements, you will need to configure this rule with your own desired instance type.

Audit

To determine if the Elasticsearch (ES) instances launched in your AWS account have the desired instance type, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the AWS ES domain (link) that you want to examine.

04 Click Configure cluster button from the ES dashboard top menu to access the configuration information for the selected cluster.

05 Check the type of Elasticsearch instances provisioned for the selected cluster, listed in the Instance type and Dedicated master instance type fields, e.g.:

Instance type and Dedicated master instance type

06 Repeat steps no. 3 – 5 to verify the instance type used by other AWS ES clusters provisioned in the selected region.

07 If the instance type used is not the same for all ES clusters available, the AWS Elasticsearch clusters created in the current region were not launched using the desired instance type, therefore you must take action and build an AWS support case to limit cluster creation only to the desired/required instance type (see Remediation/Resolution section).

08 Change the AWS region from the navigation bar and repeat steps no. 3 – 7 for all other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Elasticsearch domains currently available in the selected region:

aws es list-domain-names
	--region us-east-1

02 The command output should return the requested AWS ES domain names:

{
    "DomainNames": [
        {
            "DomainName": "cc-es-web-cluster"
        },
        {
            "DomainName": "cc-es-cmpa-cluster"
        },
        {
            "DomainName": "cc-es-cvsa-cluster"
        }

    ]
}

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the name of the Elasticsearch domain that you want to examine as identifier and custom query filters to return the type of data instances and dedicated master instances, provisioned by the current ES cluster:

aws es describe-elasticsearch-domain
	--domain-name cc-es-web-cluster
	--region us-east-1
	--query 'DomainStatus.ElasticsearchClusterConfig.[InstanceType,DedicatedMasterType]'

04 The command output should return the instance type(s) for the selected AWS ES cluster. The first value returned represents the instance type used by data instances and second value the type used by dedicated master instances:

[
    "c4.large.elasticsearch",
    "m4.large.elasticsearch"
]

05 Repeat step no. 3 and 4 to determine the type of the instances provisioned by other AWS Elasticsearch clusters, available in the current region.

06 Repeat steps no. 1 – 5 to perform the process for all other AWS regions. The describe-elasticsearch-domain command output should return an array with the instance type(s) utilized by the ES cluster instances (data instances and dedicated master instances), available in the selected region. If the instance type used is not the same for all ES clusters available, the AWS Elasticsearch clusters launched in the current region were not created using the desired instance type, therefore you must take action and build an AWS support case to limit cluster creation only to the desired instance type.

Remediation / Resolution

To limit the new AWS Elasticsearch cluster instances to the desired type, create an AWS support case where you explain why you need this type of limitation. For any existing Elasticsearch clusters launched without using the desired instance type, just update their configuration by changing the Instance type and Dedicated master instance type config parameters to the desired type (e.g. c4.large.elasticsearch).
To create the required AWS support case, perform the following actions:

Note: Creating a support case to request ES instance type limitation using the AWS API via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS Support Center dashboard at https://console.aws.amazon.com/support/.

03 On the Create Case support page, perform the following:

  1. Under Regarding, select Account and Billing Support.
  2. Choose Other Account Issues from the Category dropdown list.
  3. In the Subject field, enter the request subject, e.g. "Limit AWS Elasticsearch cluster instance launch to a desired type".
  4. In the Description textbox, enter a brief description where you explain why you need to limit the provisioning of Amazon Elasticsearch instances to a specific type so that AWS support can evaluate your case promptly.
  5. From Supported Language, choose your preferred correspondence language for the current case.
  6. Under Contact method, select a preferred contact method that AWS support team can use to respond to your request.
  7. Click Submit to send the limit request to Amazon Web Services. A customer support representative will contact you shortly.

References

Publication date Sep 28, 2017