Best practice rules for Amazon Opensearch Service
Amazon OpenSearch Service makes it easy for you to perform interactive log analytics, real-time application monitoring, website search, and more. OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch.
Trend Micro Cloud One™ – Conformity monitors Amazon Opensearch Service with the following rules:
- AWS OpenSearch Slow Logs
Ensure that your AWS OpenSearch domains publish slow logs to AWS CloudWatch Logs.
- Check for IP-Based Access
Ensure that only approved IP addresses can access your Amazon OpenSearch domains.
- Cluster Status
Ensure that your Amazon OpenSearch clusters are healthy (Green).
- Desired Instance Type(s)
Ensure that Amazon OpenSearch cluster instances are of given instance type.
- Enable Audit Logs
Ensure that audit logging is enabled for all your Amazon OpenSearch domains.
- Enable In-Transit Encryption
Ensure that in-transit encryption is enabled for your Amazon OpenSearch domains.
- Encryption At Rest
Ensure that your Amazon OpenSearch domains are encrypted in order to meet security and compliance requirements.
- Free Storage Space
Identify OpenSearch clusters with low free storage space and scale them to optimize their performance.
- Idle OpenSearch Domains
Identify idle Amazon OpenSearch domains and delete them in order to optimize AWS costs.
- OpenSearch Accessible Only From Safelisted IP Addresses
Ensure only safelisted IP addresses can access your Amazon OpenSearch domains.
- OpenSearch Cross Account Access
Ensure Amazon OpenSearch clusters don't allow unknown cross account access.
- OpenSearch Dedicated Master Enabled
Ensure Amazon OpenSearch clusters are using dedicated master nodes to increase the production environment stability.
- OpenSearch Domain Encrypted with KMS CMKs
Ensure that OpenSearch domains are encrypted with KMS Customer Master Keys (CMKs).
- OpenSearch Domain Exposed
Ensure Amazon OpenSearch domains aren't exposed to everyone.
- OpenSearch Domain In VPC
Ensure that your Amazon OpenSearch domains are accessible only from AWS VPCs.
- OpenSearch General Purpose SSD
Ensure OpenSearch nodes are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the service costs.
- OpenSearch Node To Node Encryption
Ensure that your Amazon OpenSearch clusters are using node to node encryption in order to meet security and compliance requirements.
- OpenSearch Reserved Instance Coverage
Ensure that your Amazon OpenSearch usage is covered by RI reservations in order to optimize AWS costs.
- OpenSearch Reserved Instance Lease Expiration In The Next 30 Days
Ensure Amazon OpenSearch Reserved Instances are renewed before expiration.
- OpenSearch Reserved Instance Lease Expiration In The Next 7 Days
Ensure that Amazon OpenSearch Reserved Instances are renewed before expiration.
- OpenSearch Version
Ensure that the latest version of OpenSearch engine is used for your OpenSearch domains.
- OpenSearch Zone Awareness Enabled
Ensure high availability for your Amazon OpenSearch clusters by enabling the Zone Awareness feature.
- Reserved Instance Payment Pending Purchases
Ensure that none of your Amazon OpenSearch Reserved Instance purchases are pending.
- Reserved Instance Purchase State
Ensure that none of your Amazon OpenSearch Reserved Instance purchases have been failed.
- Review Reserved Instance Purchases
Ensure that OpenSearch Reserved Instance purchases are regularly reviewed for cost optimization (informational).
- TLS Security Policy Version
Ensure that your OpenSearch domains are using the latest version of the TLS security policy.
- Total Number of Cluster Nodes
Ensure there are fewer OpenSearch cluster nodes than the established limit