11. Database and Analytics

Explore

Analytical DBs

Amazon OpenSearch Service

Amazon OpenSearch Service is a managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Amazon OpenSearch Service supports OpenSearch and legacy Elasticsearch OSS (up to 7.10, the final open source version of the software). When you create a cluster, you have the option of which search engine to use.

OpenSearch is a fully open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis. For more information, see the

OpenSearch documentation⁠

Amazon OpenSearch Service provisions all the resources for your OpenSearch cluster and launches it. It also automatically detects and replaces failed OpenSearch Service nodes, reducing the overhead associated with self-managed infrastructures. You can scale your cluster with a single API call or a few clicks in the console.

⁠

Supports queries using SQL syntax

Availability in up to three Availability Zones

Backup using snapshots

Encryption at-rest and in-transit

⁠

OpenSearch Service Deployment

Clusters are created (Management Console, API, or CLI)

Clusters are also known as OpenSearch Service domains

You specify the number of instances and instance types

Storage options include Cost-effective

UltraWarm⁠

and

cold storage⁠

for read-only data

OpenSearch in an Amazon VPC

Clusters can be deployed in a VPC for secure intra-VPC communications

VPN or proxy required to connect from the internet (public domains are directly accessible)

Cannot use IP-based access policies

Limitations of VPC deployments:

You can’t switch from VPC to a public endpoint. The reverse is also true

You can’t launch your domain within a VPC that uses dedicated tenancy

After you place a domain within a VPC, you can’t move it to a different VPC, but you can change the subnets and security group settings

⁠

OpenSearch Access Control

Resource-based policies – often called a domain access policy

Identity-based policies – attached to users or roles (principals)

IP-based policies – Restrict access to one or more IP addresses or CIDR blocks

Fine-grained access control – Provides:

Role-based access control

Security at the index, document, and field level

OpenSearch Dashboards multi-tenancy

HTTP basic authentication for OpenSearch and OpenSearch Dashboards

Authentication options include:

Federation using SAML to on-premises directories

Amazon Cognito and social identity providers

OpenSearch Best Practices

Deploy OpenSearch data instances across three Availability Zones (AZs) for the best availability

Provision instances in multiples of three for equal distribution across AZs

If three AZs are not available use two AZs with equal numbers of instances

Use three dedicated master nodes

Configure at least one replica for each index

Apply restrictive resource-based access policies to the domain (or use fine-grained access control)

Create the domain within an Amazon VPC

For sensitive data enable node-to-node encryption and encryption at rest

⁠

Loading docs.aws.amazon.com⁠

⁠

OpenSearch Service Deployment

OpenSearch in an Amazon VPC

OpenSearch Access Control

OpenSearch Best Practices

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.