OpenSearch domain has at least 3 dedicated master nodes
opensearch_service_domains_fault_tolerant_master_nodes
Amazon OpenSearch domains have dedicated master nodes enabled with a master node count of at least 3 to support stable cluster coordination and elections
Risk
With fewer than 3 or disabled dedicated master nodes, the cluster can lose quorum, blocking leader election.
Effects include stalled cluster state updates, failed reads/writes, shard allocation issues, and possible split-brain, reducing availability and integrity.
prowler aws --checks opensearch_service_domains_fault_tolerant_master_nodes
Recommendation
Enable dedicated master nodes and set the count to at least 3 (use an odd number) to maintain quorum. Use Multi-AZ with standby to distribute masters across zones. Right-size master instances and monitor cluster health to uphold high availability and resilience.
Remediation
aws opensearch update-domain-config --domain-name <name> --cluster-config "DedicatedMasterEnabled=true,DedicatedMasterType=<instance_type>,DedicatedMasterCount=3"
- Sign in to the AWS Console and open Amazon OpenSearch Service
- Select your domain and choose Edit
- In Cluster configuration:
- Enable Dedicated master nodes
- Set Dedicated master node count to 3
- Select a Dedicated master instance type
- Choose Save changes
Source Code
Resource Type
AwsOpenSearchServiceDomain