AWS Elasticsearch domain has Dedicated master set to disabled
Description
This policy checks if Elasticsearch/OpenSearch clusters are configured with a dedicated master node. Having a dedicated master node for Elasticsearch/OpenSearch clusters helps ensure that the cluster’s state and health status is managed properly and prevents the cluster from becoming unstable in case of failures.
Code Example
go
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
cluster_config {
instance_count = 5
+ dedicated_master_enabled = true
dedicated_master_type = "m3.medium.elasticsearch"
}
}Remediation
Terraform
- Resource: aws_opensearch_domain, aws_elasticsearch_domain
- Arguments: cluster_config.dedicated_master_enabled
To fix the issue, ensure the 'dedicated_master_enabled' configuration is set to 'true' inside the 'cluster_config' block of the Elasticsearch or OpenSearch domain resource.
Secure code example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0493 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_59 |