Logo of Trend Micro

Elasticsearch Zone Awareness Enabled

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ES-002

Ensure that AWS Elasticsearch (ES) cross-zone replication (Zone Awareness) is enabled to increase the availability of your ES clusters by allocating the nodes and replicate the data across two Availability Zones (AZs) in the same region in order to prevent data loss and minimize downtime in the event of node or data center (AZ) failure.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Reliability

Enabling ES Zone Awareness promotes fault tolerance by distributing your Elasticsearch data nodes across two Availability Zones available in the same AWS region.

Note 1: To use the Zone Awareness feature, your Amazon ES clusters must have an even number of instances in their configuration.
Note 2: Once the ES cross-zone replication is enabled, you must use the native Elasticsearch API to replicate the data for your clusters by creating replica shards.

Audit

To determine if the Zone Awareness feature is enabled for your Elasticsearch clusters, you need to perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain that you want to examine, e.g.

Click on the ES domain that you want to examine

04 On the selected domain description page, click the Configure cluster button from the dashboard top menu to access the ES cluster configuration page.

05 On the Configure cluster page, in the Node configuration section, verify the Zone Awareness feature current status. If Enable zone awareness checkbox is unchecked:

If Enable zone awareness checkbox is unchecked

the Elasticsearch cross-zone replication is not enabled, therefore the selected ES cluster configuration is not fault tolerant.

06 Repeat steps no. 3 - 5 to verify the Zone Awareness feature status for other Elasticsearch domains (clusters) available within the current region.

07 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Elasticsearch (ES) domains currently available in the selected region: 

aws es list-domain-names
	--region us-east-1

02 The command output should return the requested ES domain name(s): 

{
    "DomainNames": [
        {
            "DomainName": "cloudconformity-cluster"
        },
        {
            "DomainName": "cloudconformity-cluster-v2"
        }
    ]
}

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the ES domain name returned at the previous step and custom query filters to reveal the Zone Awareness setting status for the selected domain (cluster): 

aws es describe-elasticsearch-domain
	--domain-name cloudconformity-cluster
	--region us-east-1
	--query 'DomainStatus.ElasticsearchClusterConfig.ZoneAwarenessEnabled'

04 The command output should return the ES cluster cross-zone replication status (true for enabled, false for disabled): 

false
If the value returned by the command output is false, the cross-zone replication is not currently enabled, therefore the selected Elasticsearch cluster configuration is prone to service downtime and data loss in the event of a node/AZ failure.

05 Repeat steps no. 3 and 4 to verify the Zone Awareness feature status for other Elasticsearch domains available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable cross-zone replication for your Amazon Elasticsearch clusters, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain (cluster) that you want to reconfigure in order to enable Zone Awareness (see Audit section part I to identify the right AWS resource).

04 On the selected ES domain description page, click the Configure cluster button from the dashboard top menu to open the cluster configuration page.

05 On the Configure cluster page, in the Node configuration section, perform the following:

  1. Make sure you have an even number of data nodes in the Instance count box.
  2. Check Enable zone awareness checkbox to switch on the Zone Awareness feature.

06 Click Submit to enable ES cluster cross-zone replication.

07 In the Change cluster configuration dialog box, click OK to confirm the action. The ES domain status should change from Active to Processing and back to Active once the service finishes processing your configuration changes.

08 Repeat steps no. 3 - 7 to enable ES Zone Awareness (i.e. cross-zone replication) for other Elasticsearch clusters available within the current region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) using the name of the Elasticsearch domain that you want to reconfigure (see Audit section part II to identify the right ES resource) to switch on cross-zone replication (i.e. ZoneAwarenessEnabled=true) for the selected ES cluster:

aws es update-elasticsearch-domain-config
	--domain-name cloudconformity-cluster
	--region us-east-1
	--ebs-options EBSEnabled=true,VolumeType="gp2",VolumeSize=150
	--elasticsearch-cluster-config InstanceType="m3.large.elasticsearch",InstanceCount=2,ZoneAwarenessEnabled=true

02 The command output should return the new configuration metadata for the modified Elasticsearch domain (cluster): 

{
    "DomainConfig": {
        "ElasticsearchClusterConfig": {
            "Status": {
                "PendingDeletion": false,
                "State": "Processing",
                "CreationDate": 1480527206.12,
                "UpdateVersion": 9,
                "UpdateDate": 1480531903.387
            },
            "Options": {
                "DedicatedMasterEnabled": false,
                "InstanceCount": 2,
                "ZoneAwarenessEnabled": true,
                "InstanceType": "m3.large.elasticsearch"
            }
        },


        ...


        "ElasticsearchVersion": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1480527206.12,
                "UpdateVersion": 6,
                "UpdateDate": 1480527837.671
            },
            "Options": "2.3"
        },
        "EBSOptions": {
            "Status": {
                "PendingDeletion": false,
                "State": "Processing",
                "CreationDate": 1480527206.12,
                "UpdateVersion": 9,
                "UpdateDate": 1480531903.387
            },
            "Options": {
                "VolumeSize": 150,
                "VolumeType": "gp2",
                "EBSEnabled": true
            }
        }
    }
}

03 Repeat step no. 1 and 2 to enable cross-zone replication for other Elasticsearch clusters available within the current region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the entire process for other regions.

References

Publication date Dec 3, 2016

Related Elasticsearch rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Elasticsearch Zone Awareness Enabled

Risk level: Medium