Profile Applicability:

  • Level 1

Description:

Amazon Elasticsearch Service, now known as Amazon OpenSearch Service, is a fully managed service that allows users to search, analyze, and visualize data in real-time. Just like any software, the OpenSearch service needs to be kept up-to-date to ensure it runs with the latest features, bug fixes, and security patches. This SOP provides a guide for checking whether updates are available for OpenSearch domains and ensuring that your domain is running the latest stable version.

By regularly checking for updates and applying them, you ensure your OpenSearch domain benefits from the latest improvements, including better security, new capabilities, and performance enhancements.

Rationale:

Keeping Amazon OpenSearch Service domains up to date is critical for:

  • Security: Ensures that the domain is protected from known vulnerabilities and threats.

  • Reliability: Updates may fix bugs or improve the stability of the service.

  • Feature Enhancements: New features and performance improvements are typically included in updates.

  • Compliance: Maintaining the latest versions ensures compliance with data management and security best practices, which are essential for frameworks such as SOC 2, PCI-DSS, and HIPAA.

Impact:

Pros:

  • Security: Helps patch known vulnerabilities and improve the security posture of your OpenSearch domains.

  • Stability: Updates often include bug fixes that prevent issues that could lead to downtime or service degradation.

  • New Features: Provides access to new features and capabilities, helping keep your environment competitive and feature-rich.

  • Compliance: Ensures that your OpenSearch environment adheres to the latest security and compliance standards.

Cons:

  • Downtime Risk: In some cases, applying updates might cause brief service interruptions. It is essential to schedule updates during maintenance windows to minimize downtime.

  • Compatibility: Some updates may introduce breaking changes that require application adjustments or testing.

  • Operational Overhead: Requires monitoring and manual intervention to check for updates and apply them.

Default Value:

By default, Amazon OpenSearch Service domains are not automatically updated. You must manually check for updates and apply them based on the requirements of your organization and the service health.

Pre-requisite:

  • AWS IAM Permissions:

    • es:DescribeDomain

    • es:ListDomainNames

    • es:UpdateDomainConfig

  • AWS CLI installed and configured.

  • Basic knowledge of OpenSearch/Elasticsearch domains and update management.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon OpenSearch Service under Services.

     

  1. In the OpenSearch Dashboard, go to Domains.

             

  1. Select the domain you want to inspect.

     

  1. In the Domain Details page, under the Version section, check the Elasticsearch/OpenSearch version.

     

  1. Look for any indications of an available update in the version section.

  2. If an update is available, you will be prompted with an option to upgrade to the latest version.

Using AWS CLI:

To list all OpenSearch domains, run:

aws es list-domain-names --query 'DomainNames[*].DomainName'

To check the version and updates available for a specific domain, run:

aws es describe-elasticsearch-domain --domain-name <your-domain-name> --query 'DomainStatus.ElasticsearchVersion'

Review the output to see the Elasticsearch/OpenSearch version and check if it matches the latest version available.

 Example output:

{

  "DomainStatus": {

    "ElasticsearchVersion": "7.10",

    "DomainName": "my-opensearch-domain"

  }

}

Check the AWS OpenSearch documentation for the latest available version to compare and determine if an upgrade is needed.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to OpenSearch Service.

   

  1. Go to Domains and select the domain you wish to inspect.

     

  1. In the Domain Details section, confirm the current version.

       

  1. Compare it with the latest available version as per the OpenSearch release notes.

  2. If an update is available, click Upgrade and follow the on-screen instructions to apply the update.

Using AWS CLI:

To apply an update to an OpenSearch domain, use the following command:

aws es update-elasticsearch-domain-config \

  --domain-name <your-domain-name> \

  --elasticsearch-version <new-version

Confirm that the update was successfully applied by describing the domain again:

aws es describe-elasticsearch-domain --domain-name <your-domain-name>

  1. Ensure that the ElasticsearchVersion reflects the updated version.

Backout Plan:

If updating the OpenSearch domain causes issues:

Identify the affected domain.

To revert to the previous version, use the following command:

aws es update-elasticsearch-domain-config \

  --domain-name <your-domain-name> \

  --elasticsearch-version <previous-version>

Monitor the cluster for any issues after rolling back and verify that it is operating correctly.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.