Opensearch Data Node Should Have Fault Tolerance
More Info:
This rule checks if Amazon OpenSearch Service domains are configured with at least three data nodes and zoneAwarenessEnabled is true. The rule is NON_COMPLIANT for an OpenSearch domain if ‘instanceCount’ is less than 3 or ‘zoneAwarenessEnabled’ is set to ‘false’.Risk Level
MediumAddress
ConfigurationCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the lack of fault tolerance for an OpenSearch data node in AWS, you can follow these steps using the AWS Management Console:
-
Navigate to Amazon OpenSearch Service Console:
- Go to the AWS Management Console (https://console.aws.amazon.com).
- In the “Find services” search bar, type “OpenSearch Service” and click on it to open the OpenSearch dashboard.
-
Select the OpenSearch Domain:
- From the list of OpenSearch domains, select the domain for which you want to enable fault tolerance.
-
Modify the Domain Configuration:
- In the OpenSearch dashboard, locate and click on the domain name that you want to modify.
- Click on the “Modify domain” button to update the domain configuration.
-
Enable Zone Awareness:
- In the “Configure cluster” section, find the “Enable zone awareness” option and toggle it to enable fault tolerance.
- Zone awareness ensures that each primary shard has at least one replica in a different Availability Zone.
-
Select the Number of Availability Zones:
- Choose the number of Availability Zones you want to distribute your data across. It is recommended to select at least 2 Availability Zones for fault tolerance.
-
Save the Configuration Changes:
- Review the other settings and configurations to ensure they are correct.
- Click on the “Submit” button to save the changes and apply fault tolerance to your OpenSearch domain.
-
Monitor the Domain:
- Once the configuration changes are saved, monitor the domain to ensure that the fault tolerance settings are applied correctly.
- You can check the domain status and cluster health in the OpenSearch dashboard.
Using CLI
Using CLI
To enable fault tolerance for OpenSearch data nodes in AWS, you can follow these steps using the AWS CLI:
-
Identify the OpenSearch domain:
Run the following AWS CLI command to list all the OpenSearch domains in your AWS account:
-
Get the configuration of the OpenSearch domain:
Run the following AWS CLI command to get the configuration of the specific OpenSearch domain:
-
Update the domain configuration to enable fault tolerance:
Run the following AWS CLI command to update the domain configuration and enable fault tolerance for data nodes:
In this command:
- Replace
YOUR_DOMAIN_NAMEwith the name of your OpenSearch domain. - Adjust the
InstanceTypeandInstanceCountvalues as per your requirements. - Set
ZoneAwarenessEnabledtotrueto enable fault tolerance across Availability Zones.
- Replace
-
Monitor the domain status:
Run the following AWS CLI command to monitor the status of the OpenSearch domain until it is active:
Using Python
Using Python
To remediate the misconfiguration of Opensearch Data Node not having fault tolerance in AWS OpenSearch using Python, follow these steps:
- Define the AWS OpenSearch domain configuration using the AWS SDK for Python (Boto3). Ensure that the domain has multiple data nodes for fault tolerance.
- Run the Python script to update the AWS OpenSearch domain configuration with fault tolerance enabled for data nodes.
- Verify the domain configuration in the AWS Management Console or by using the describe_elasticsearch_domain_config API to ensure that the fault tolerance settings have been applied successfully.