Elasticsearch Domain Not Encrypted Node To Node
- Query id: 43ed6fe0-edb6-43c2-97be-6501cf563d53
- Query name: Elasticsearch Domain Not Encrypted Node To Node
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: 311
- Risk score: 3.0
- URL: Github
Description¶
Elasticsearch Domain encryption should be enabled node to node
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyOpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-sample-domain
EngineVersion: Elasticsearch_7.10
ClusterConfig:
InstanceType: r6g.large.search
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r6g.large.search
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp3
VolumeSize: 50
Iops: 3000
Throughput: 125
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 3
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Project
Value: OpenSearch
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyOpenSearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "my-sample-domain",
"EngineVersion": "Elasticsearch_7.10",
"NodeToNodeEncryptionOptions": {},
"EncryptionAtRestOptions": {
"Enabled": false
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 3
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Project",
"Value": "OpenSearch"
}
]
}
}
}
}
Positive test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-es-domain
ElasticsearchVersion: 7.10
NodeToNodeEncryptionOptions:
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 2
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Department
Value: Analytics
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "my-es-domain",
"ElasticsearchVersion": 7.1,
"NodeToNodeEncryptionOptions": {},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 2
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Department",
"Value": "Analytics"
}
]
}
}
}
}
Positive test num. 5 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyOpenSearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "my-sample-domain",
"EngineVersion": "Elasticsearch_7.10",
"ClusterConfig": {
"InstanceType": "r6g.large.search",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r6g.large.search",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp3",
"VolumeSize": 50,
"Iops": 3000,
"Throughput": 125
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
}
}
]
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 3
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Project",
"Value": "OpenSearch"
}
]
}
}
}
}
Positive test num. 6 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyOpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-sample-domain
EngineVersion: Elasticsearch_7.10
ClusterConfig:
InstanceType: r6g.large.search
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r6g.large.search
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp3
VolumeSize: 50
Iops: 3000
Throughput: 125
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
NodeToNodeEncryptionOptions:
Enabled: false
EncryptionAtRestOptions:
Enabled: false
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 3
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Project
Value: OpenSearch
Positive test num. 7 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyOpenSearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "my-sample-domain",
"EngineVersion": "Elasticsearch_7.10",
"ClusterConfig": {
"InstanceType": "r6g.large.search",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r6g.large.search",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp3",
"VolumeSize": 50,
"Iops": 3000,
"Throughput": 125
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
}
}
]
},
"NodeToNodeEncryptionOptions": {
"Enabled": false
},
"EncryptionAtRestOptions": {
"Enabled": false
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 3
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Project",
"Value": "OpenSearch"
}
]
}
}
}
}
Positive test num. 8 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-es-domain
ElasticsearchVersion: 7.10
ElasticsearchClusterConfig:
InstanceType: r5.large.elasticsearch
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r5.large.elasticsearch
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 50
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 2
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Department
Value: Analytics
Positive test num. 9 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "my-es-domain",
"ElasticsearchVersion": 7.1,
"ElasticsearchClusterConfig": {
"InstanceType": "r5.large.elasticsearch",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r5.large.elasticsearch",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp2",
"VolumeSize": 50
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
}
}
]
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 2
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Department",
"Value": "Analytics"
}
]
}
}
}
}
Positive test num. 10 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-es-domain
ElasticsearchVersion: 7.10
ElasticsearchClusterConfig:
InstanceType: r5.large.elasticsearch
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r5.large.elasticsearch
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 50
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
NodeToNodeEncryptionOptions:
Enabled: false
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 2
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Department
Value: Analytics
Positive test num. 11 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "my-es-domain",
"ElasticsearchVersion": 7.1,
"ElasticsearchClusterConfig": {
"InstanceType": "r5.large.elasticsearch",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r5.large.elasticsearch",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp2",
"VolumeSize": 50
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
}
}
]
},
"NodeToNodeEncryptionOptions": {
"Enabled": false
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 2
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Department",
"Value": "Analytics"
}
]
}
}
}
}
Positive test num. 12 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyOpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-sample-domain
EngineVersion: Elasticsearch_7.10
NodeToNodeEncryptionOptions:
EncryptionAtRestOptions:
Enabled: false
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 3
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Project
Value: OpenSearch
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyOpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-sample-domain
EngineVersion: Elasticsearch_7.10
ClusterConfig:
InstanceType: r6g.large.search
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r6g.large.search
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp3
VolumeSize: 50
Iops: 3000
Throughput: 125
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
NodeToNodeEncryptionOptions:
Enabled: true
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 3
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Project
Value: OpenSearch
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyOpenSearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "my-sample-domain",
"EngineVersion": "Elasticsearch_7.10",
"ClusterConfig": {
"InstanceType": "r6g.large.search",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r6g.large.search",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp3",
"VolumeSize": 50,
"Iops": 3000,
"Throughput": 125
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
}
}
]
},
"NodeToNodeEncryptionOptions": {
"Enabled": true
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 3
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Project",
"Value": "OpenSearch"
}
]
}
}
}
}
Negative test num. 3 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-es-domain
ElasticsearchVersion: 7.10
ElasticsearchClusterConfig:
InstanceType: r5.large.elasticsearch
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r5.large.elasticsearch
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 50
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
NodeToNodeEncryptionOptions:
Enabled: true
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 2
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Department
Value: Analytics
Negative test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "my-es-domain",
"ElasticsearchVersion": 7.1,
"ElasticsearchClusterConfig": {
"InstanceType": "r5.large.elasticsearch",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r5.large.elasticsearch",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp2",
"VolumeSize": 50
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
}
}
]
},
"NodeToNodeEncryptionOptions": {
"Enabled": true
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 2
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Department",
"Value": "Analytics"
}
]
}
}
}
}
Negative test num. 5 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyOpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: my-sample-domain
EngineVersion: Elasticsearch_7.10
ClusterConfig:
InstanceType: r6g.large.search
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r6g.large.search
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp3
VolumeSize: 50
Iops: 3000
Throughput: 125
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
NodeToNodeEncryptionOptions:
Enabled: "true"
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 3
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Project
Value: OpenSearch
Negative test num. 6 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyOpenSearchDomain": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "my-sample-domain",
"EngineVersion": "Elasticsearch_7.10",
"ClusterConfig": {
"InstanceType": "r6g.large.search",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r6g.large.search",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp3",
"VolumeSize": 50,
"Iops": 3000,
"Throughput": 125
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-sample-domain/*"
}
}
]
},
"NodeToNodeEncryptionOptions": {
"Enabled": "true"
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 3
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Project",
"Value": "OpenSearch"
}
]
}
}
}
}
Negative test num. 7 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: Example
Resources:
MyElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: my-es-domain
ElasticsearchVersion: 7.10
ElasticsearchClusterConfig:
InstanceType: r5.large.elasticsearch
InstanceCount: 2
DedicatedMasterEnabled: true
DedicatedMasterType: r5.large.elasticsearch
DedicatedMasterCount: 3
ZoneAwarenessEnabled: true
ZoneAwarenessConfig:
AvailabilityZoneCount: 2
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 50
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: "*"
Action: "es:*"
Resource: !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
NodeToNodeEncryptionOptions:
Enabled: "true"
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07
SnapshotOptions:
AutomatedSnapshotStartHour: 2
AdvancedOptions:
rest.action.multi.allow_explicit_index: "true"
override_main_response_version: "true"
Tags:
- Key: Environment
Value: Production
- Key: Department
Value: Analytics
Negative test num. 8 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Example",
"Resources": {
"MyElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "my-es-domain",
"ElasticsearchVersion": 7.1,
"ElasticsearchClusterConfig": {
"InstanceType": "r5.large.elasticsearch",
"InstanceCount": 2,
"DedicatedMasterEnabled": true,
"DedicatedMasterType": "r5.large.elasticsearch",
"DedicatedMasterCount": 3,
"ZoneAwarenessEnabled": true,
"ZoneAwarenessConfig": {
"AvailabilityZoneCount": 2
}
},
"EBSOptions": {
"EBSEnabled": true,
"VolumeType": "gp2",
"VolumeSize": 50
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": {
"Fn::Sub": "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/my-es-domain/*"
}
}
]
},
"NodeToNodeEncryptionOptions": {
"Enabled": "true"
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true,
"TLSSecurityPolicy": "Policy-Min-TLS-1-2-2019-07"
},
"SnapshotOptions": {
"AutomatedSnapshotStartHour": 2
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": "true",
"override_main_response_version": "true"
},
"Tags": [
{
"Key": "Environment",
"Value": "Production"
},
{
"Key": "Department",
"Value": "Analytics"
}
]
}
}
}
}