AWS Elasticsearch

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes
Access Control Policy
Design Guidance:
Identity and Access Management in Amazon OpenSearch Service - Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Access Policies
​Cloud Formation​
​Terraform​
Advanced Security Options-Enabled
​Cloud Formation​
​Terraform​
Cognito Options-Role Arn
​Cloud Formation​
​Terraform​
Identification and Authentication
Design Guidance:
Fine-grained access control in Amazon OpenSearch Service - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Advanced Security Options-Internal User Database Enabled
​Cloud Formation​
​Terraform​
Master User Options-Master User Arn
​Cloud Formation​
​Terraform​
Master User Options-Master User Name
​Cloud Formation​
​Terraform​
Master User Options-Master User Password
​Cloud Formation​
​Terraform​
Cognito Options-Enabled
​Cloud Formation​
​Terraform​
Cognito Options-Identity Pool Id
​Cloud Formation​
​Terraform​
Cognito Options-User Pool Id
​Cloud Formation​
​Terraform​
AWS::Elasticsearch::UpdateElasticsearchDomainConfig
SAMLoptions-Enabled
​Cloud Formation​
Idp-Entity Id
​Cloud Formation​
Idp-Metadata Content
​Cloud Formation​
SAMLoptions-Subject Key
​Cloud Formation​
TLS
Design Guidance:
Node-to-node encryption for Amazon OpenSearch Service - Amazon OpenSearch Service
Creating and managing Amazon OpenSearch Service domains - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Domain Endpoint Options-Enforce HTTPS
​Cloud Formation​
​Terraform​
Node To Node Encryption Options-Enabled
​Cloud Formation​
​Terraform​
Domain Endpoint Options-TLSsecurity Policy
​Cloud Formation​
​Terraform​
Design for High Availability
Design Guidance:
Creating and managing Amazon OpenSearch Service domains - Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Ebsoptions-Ebsenabled
​Cloud Formation​
​Terraform​
Ebsoptions-Iops
​Cloud Formation​
​Terraform​
Ebsoptions-Volume Size
​Cloud Formation​
​Terraform​
Ebsoptions-Volume Type
​Cloud Formation​
​Terraform​
Zone Awareness Config-Availability Zone Count
​Cloud Formation​
​Terraform​
Elasticsearch Cluster Config-Zone Awareness Enabled
​Cloud Formation​
​Terraform​
Transparent Data Encryption
Design Guidance:
Encryption of data at rest for Amazon OpenSearch Service - Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Encryption At Rest Options-Enabled
​Cloud Formation​
​Terraform​
Protect Cryptographic Keys
Design Guidance:
Encryption of data at rest for Amazon OpenSearch Service - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Encryption At Rest Options-Kms Key Id
​Cloud Formation​
​Terraform​
Logging
Design Guidance:
Monitoring OpenSearch logs with Amazon CloudWatch Logs - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
[a-z A-z0-9]+-Cloud Watch Logs Log Group Arn
​Cloud Formation​
​Terraform​
[a-z A-z0-9]+-Enabled
​Cloud Formation​
​Terraform​
Backups
Design Guidance:
Creating index snapshots in Amazon OpenSearch Service - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Snapshot Options-Automated Snapshot Start Hour
​Cloud Formation​
​Terraform​
Asset Inventory
Design Guidance:
Tagging Amazon OpenSearch Service domains - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
Tags
​Cloud Formation​
​Terraform​
Firewalls
Design Guidance:
Control traffic to resources using security groups - Amazon Virtual Private Cloud
Amazon Virtual Private Cloud
AWS::Elasticsearch::Domain
VPCoptions-Security Group Ids
​Cloud Formation​
​Terraform​
Subnet Isolation
Design Guidance:
Launching your Amazon OpenSearch Service domains within a VPC - Amazon OpenSearch Service
Amazon OpenSearch Service
AWS::Elasticsearch::Domain
VPCoptions-Subnet Ids
​Cloud Formation​
​Terraform​
Access Policy Enforcement
AWS::Elasticsearch::UpdateElasticsearchDomainConfig
SAMLoptions-Roles Key
​Cloud Formation​
Session Limits
AWS::Elasticsearch::UpdateElasticsearchDomainConfig
SAMLoptions-Session Timeout Minutes
​Cloud Formation​

AWS ElasticLoadBalancingV2

AWS IAM

Last modified 1yr ago

Access Policies	Cloud Formation	Terraform
Advanced Security Options-Enabled	Cloud Formation	Terraform
Cognito Options-Role Arn	Cloud Formation	Terraform

Advanced Security Options-Internal User Database Enabled	Cloud Formation	Terraform
Master User Options-Master User Arn	Cloud Formation	Terraform
Master User Options-Master User Name	Cloud Formation	Terraform
Master User Options-Master User Password	Cloud Formation	Terraform
Cognito Options-Enabled	Cloud Formation	Terraform
Cognito Options-Identity Pool Id	Cloud Formation	Terraform
Cognito Options-User Pool Id	Cloud Formation	Terraform

SAMLoptions-Enabled	Cloud Formation
Idp-Entity Id	Cloud Formation
Idp-Metadata Content	Cloud Formation
SAMLoptions-Subject Key	Cloud Formation

Domain Endpoint Options-Enforce HTTPS	Cloud Formation	Terraform
Node To Node Encryption Options-Enabled	Cloud Formation	Terraform
Domain Endpoint Options-TLSsecurity Policy	Cloud Formation	Terraform

Ebsoptions-Ebsenabled	Cloud Formation	Terraform
Ebsoptions-Iops	Cloud Formation	Terraform
Ebsoptions-Volume Size	Cloud Formation	Terraform
Ebsoptions-Volume Type	Cloud Formation	Terraform
Zone Awareness Config-Availability Zone Count	Cloud Formation	Terraform
Elasticsearch Cluster Config-Zone Awareness Enabled	Cloud Formation	Terraform

[a-z A-z0-9]+-Cloud Watch Logs Log Group Arn	Cloud Formation	Terraform
[a-z A-z0-9]+-Enabled	Cloud Formation	Terraform