AWS Config Rule: OpenSearch in VPC Only

OPENSEARCH_IN_VPC_ONLY

Ryan Ware

Last Update hace 6 meses

Description: Checks if Amazon OpenSearch Service domains are in an Amazon Virtual Private Cloud (VPC). The rule is NON_COMPLIANT if an OpenSearch Service domain endpoint is public.


Trigger type: Configuration changes


AWS Region: All supported AWS regions except China (Beijing), Asia Pacific (Jakarta), Africa (Cape Town), Middle East (UAE), Asia Pacific (Hyderabad), Asia Pacific (Osaka), Asia Pacific (Melbourne), Europe (Milan), AWS GovCloud (US-East), AWS GovCloud (US-West), Israel (Tel Aviv), Europe (Spain), China (Ningxia), Europe (Zurich) Region


How to Resolve Manually

By default when you attempt to create a new Amazon OpenSearch Service Domain, the Network configuration is set to VPC access. By choosing Public Access - this will fail the above AWS Config Rule and mark your domain as NON_COMPLIANT as this endpoint is public and not inside an Amazon VPC.


You can configure VPC access however by setting the following values in the Network Configuration part of your Amazon OpenSearch Service Domain:


  • VPC - Choose your desired VPC for your domain to exist within
  • Subnets - Choose up to three subnets within the chosen VPC for network access
  • Security Groups - Assign one or more security groups to your domain

Once these parameters have been configured, choose SAVE to ensure your Amazon OpenSearch Service Domain has been configured to exist within a VPC, which adds am extra layer of network security and will mark this domain as COMPLIANT for this particular AWS Config Rule.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us