OpenSearch domain has at least 3 data nodes and Zone Awareness enabled
opensearch_service_domains_fault_tolerant_data_nodes
Amazon OpenSearch domains are assessed for fault tolerance: >= 3 data nodes (instance_count >= 3) and Zone Awareness (zone_awareness_enabled = true) to distribute data across Availability Zones.
Risk
Insufficient data nodes or disabled Zone Awareness reduces availability and durability. A node or AZ failure can trigger shard unavailability, write failures, or cluster outage, increasing risk of data inconsistency during rebalancing and blocking reads/writes until recovery.
prowler aws --checks opensearch_service_domains_fault_tolerant_data_nodes
Recommendation
Configure OpenSearch with >= 3 data nodes and enable Zone Awareness to spread nodes across AZs.
- Prefer Multi-AZ with Standby for resilient failover
- Use node counts in multiples of three and set index replicas (
>= 1) - Practice capacity planning and failure testing as defense in depth
Remediation
aws opensearch update-domain-config --domain-name <example_resource_name> --cluster-config InstanceCount=3,ZoneAwarenessEnabled=true
- Open the AWS Console and go to Amazon OpenSearch Service
- Select your domain and click Edit domain
- Under Cluster configuration:
- Set Number of data nodes to 3 (or more)
- Enable Zone awareness
- Click Submit to apply the changes
Source Code
Resource Type
AwsOpenSearchServiceDomain