Table: aws_elasticsearch_domains

This table shows data for Elasticsearch Domains.

https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_DomainStatus.html (opens in a new tab)

The primary key for this table is arn.

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
account_idutf8
regionutf8
authorized_principalsjson
tagsjson
arn (PK)utf8
domain_idutf8
domain_nameutf8
elasticsearch_cluster_configjson
access_policiesutf8
advanced_optionsjson
advanced_security_optionsjson
auto_tune_optionsjson
change_progress_detailsjson
cognito_optionsjson
createdbool
deletedbool
domain_endpoint_optionsjson
ebs_optionsjson
elasticsearch_versionutf8
encryption_at_rest_optionsjson
endpointutf8
endpointsjson
log_publishing_optionsjson
node_to_node_encryption_optionsjson
processingbool
service_software_optionsjson
snapshot_optionsjson
upgrade_processingbool
vpc_optionsjson

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Connections to Elasticsearch domains should be encrypted using TLS 1.2

SELECT
  'Connections to Elasticsearch domains should be encrypted using TLS 1.2'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN domain_endpoint_options->>'TLSSecurityPolicy'
  IS DISTINCT FROM 'Policy-Min-TLS-1-2-2019-07'
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domain error logging to CloudWatch Logs should be enabled

SELECT
  'Elasticsearch domain error logging to CloudWatch Logs should be enabled'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN log_publishing_options->'ES_APPLICATION_LOGS'->'Enabled'
  IS DISTINCT FROM 'true'
  OR (
      log_publishing_options->'ES_APPLICATION_LOGS'->'CloudWatchLogsLogGroupArn'
    ) IS NULL
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domains should be configured with at least three dedicated master nodes

SELECT
  'Elasticsearch domains should be configured with at least three dedicated master nodes'
    AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN (elasticsearch_cluster_config->>'DedicatedMasterEnabled')::BOOL
  IS NOT true
  OR (elasticsearch_cluster_config->>'DedicatedMasterCount')::INT8 IS NULL
  OR (elasticsearch_cluster_config->>'DedicatedMasterCount')::INT8 < 3
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domains should be in a VPC

SELECT
  'Elasticsearch domains should be in a VPC' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN (vpc_options->>'VPCId') IS NULL THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domains should encrypt data sent between nodes

SELECT
  'Elasticsearch domains should encrypt data sent between nodes' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN (node_to_node_encryption_options->>'Enabled')::BOOL IS NOT true
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domains should have at least three data nodes

SELECT
  'Elasticsearch domains should have at least three data nodes' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN NOT (elasticsearch_cluster_config->>'ZoneAwarenessEnabled')::BOOL
  OR (elasticsearch_cluster_config->>'InstanceCount')::INT8 IS NULL
  OR (elasticsearch_cluster_config->>'InstanceCount')::INT8 < 3
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domains should have audit logging enabled

SELECT
  'Elasticsearch domains should have audit logging enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN log_publishing_options->'AUDIT_LOGS'->'Enabled' IS DISTINCT FROM 'true'
  OR (log_publishing_options->'AUDIT_LOGS'->'CloudWatchLogsLogGroupArn') IS NULL
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;

Elasticsearch domains should have encryption at rest enabled

SELECT
  'Elasticsearch domains should have encryption at rest enabled' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN (encryption_at_rest_options->>'Enabled')::BOOL IS NOT true THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elasticsearch_domains;
Introduction