Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Amazon OpenSearch Service supports OpenSearch and legacy Elasticsearch OSS (up to 7.10, the final open source version of the software). When you create a cluster, you have the option of which search engine to use.
OpenSearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis. For more information, see the . Amazon OpenSearch Service provisions all the resources for your OpenSearch cluster and launches it. It also automatically detects and replaces failed OpenSearch Service nodes, reducing the overhead associated with self-managed infrastructures. You can scale your cluster with a single API call or a few clicks in the console.
Supports queries using SQL syntax Availability in up to three Availability Zones Encryption at-rest and in-transit
OpenSearch Service Deployment
Clusters are created (Management Console, API, or CLI) Clusters are also known as OpenSearch Service domains You specify the number of instances and instance types Storage options include Cost-effective and for read-only data OpenSearch in an Amazon VPC
Clusters can be deployed in a VPC for secure intra-VPC communications VPN or proxy required to connect from the internet (public domains are directly accessible) Cannot use IP-based access policies Limitations of VPC deployments: You can’t switch from VPC to a public endpoint. The reverse is also true You can’t launch your domain within a VPC that uses dedicated tenancy After you place a domain within a VPC, you can’t move it to a different VPC, but you can change the subnets and security group settings
OpenSearch Access Control
Resource-based policies – often called a domain access policy Identity-based policies – attached to users or roles (principals) IP-based policies – Restrict access to one or more IP addresses or CIDR blocks Fine-grained access control – Provides: Role-based access control Security at the index, document, and field level OpenSearch Dashboards multi-tenancy HTTP basic authentication for OpenSearch and OpenSearch Dashboards Authentication options include: Federation using SAML to on-premises directories Amazon Cognito and social identity providers
OpenSearch Best Practices
Deploy OpenSearch data instances across three Availability Zones (AZs) for the best availability Provision instances in multiples of three for equal distribution across AZs If three AZs are not available use two AZs with equal numbers of instances Use three dedicated master nodes Configure at least one replica for each index Apply restrictive resource-based access policies to the domain (or use fine-grained access control) Create the domain within an Amazon VPC For sensitive data enable node-to-node encryption and encryption at rest
Amazon OpenSearch Service
