Table: aws_opensearch_domain - Query AWS OpenSearch Service Domains using SQL
The AWS OpenSearch Service (successor to Amazon Elasticsearch Service) allows you to easily build, secure, and manage your own cost-effective search applications. With AWS OpenSearch Service, you can deploy and run OpenSearch (an open-source search and analytics suite) and its predecessor, Elasticsearch, on AWS without having to provision infrastructure or perform time-consuming setup and maintenance tasks. This service offers you direct access to the OpenSearch APIs and automatically takes care of the administrative operations.
Table Usage Guide
The aws_opensearch_domain
table in Steampipe provides you with information about domains within the AWS OpenSearch Service. This table allows you as a DevOps engineer to query domain-specific details, including configurations, access policies, and associated metadata. You can utilize this table to gather insights on domains, such as their encryption status, node-to-node encryption options, automated snapshot settings, and more. The schema outlines the various attributes of the OpenSearch domain for you, including the domain ARN, domain ID, created date, and associated tags.
Examples
Basic info
Explore which domains are currently active on your AWS OpenSearch service. This query is particularly useful for gaining insights into the engine versions being used and when they were created, allowing you to better manage and update your domains.
select domain_name, domain_id, arn, engine_version, createdfrom aws_opensearch_domain;
select domain_name, domain_id, arn, engine_version, createdfrom aws_opensearch_domain;
List domains that are not encrypted at rest
Determine the areas in which domains are not encrypted at rest, allowing you to identify potential security vulnerabilities and take necessary actions to enhance data protection.
select domain_name, domain_id, encryption_at_rest_options ->> 'Enabled' as enabled, encryption_at_rest_options ->> 'KmsKeyId' as kms_key_idfrom aws_opensearch_domainwhere encryption_at_rest_options ->> 'Enabled' = 'false';
select domain_name, domain_id, json_extract(encryption_at_rest_options, '$.Enabled') as enabled, json_extract(encryption_at_rest_options, '$.KmsKeyId') as kms_key_idfrom aws_opensearch_domainwhere json_extract(encryption_at_rest_options, '$.Enabled') = 'false';
Get storage details for domains that are using EBS storage type
Identify the domains utilizing EBS storage by assessing their storage details. This can help in management and optimization of storage resources within those domains.
select domain_name, domain_id, ebs_options ->> 'VolumeSize' as volume_size, ebs_options ->> 'VolumeType' as volume_type, ebs_options ->> 'EBSEnabled' as ebs_enabledfrom aws_opensearch_domainwhere ebs_options ->> 'EBSEnabled' = 'true';
select domain_name, domain_id, json_extract(ebs_options, '$.VolumeSize') as volume_size, json_extract(ebs_options, '$.VolumeType') as volume_type, json_extract(ebs_options, '$.EBSEnabled') as ebs_enabledfrom aws_opensearch_domainwhere json_extract(ebs_options, '$.EBSEnabled') = 'true';
Get network details for each domain
Explore the network configuration of each domain to gain insights into their availability zones, security group IDs, subnet IDs, and VPC IDs. This could be useful for assessing the network structure and security measures implemented across different domains.
select domain_name, vpc_options ->> 'AvailabilityZones' as availability_zones, vpc_options ->> 'SecurityGroupIds' as security_group_ids, vpc_options ->> 'SubnetIds' as subnet_ids, vpc_options ->> 'VPCId' as vpc_idfrom aws_opensearch_domainwhere vpc_options ->> 'AvailabilityZones' is not null;
select domain_name, json_extract(vpc_options, '$.AvailabilityZones') as availability_zones, json_extract(vpc_options, '$.SecurityGroupIds') as security_group_ids, json_extract(vpc_options, '$.SubnetIds') as subnet_ids, json_extract(vpc_options, '$.VPCId') as vpc_idfrom aws_opensearch_domainwhere json_extract(vpc_options, '$.AvailabilityZones') is not null;
Get the instance details for each domain
Identify the configuration of each domain to understand its specific instance type and count. This can assist in managing resources and optimizing performance within the AWS OpenSearch service.
select domain_name, domain_id, cluster_config ->> 'InstanceType' as instance_type, cluster_config ->> 'InstanceCount' as instance_countfrom aws_opensearch_domain;
select domain_name, domain_id, json_extract(cluster_config, '$.InstanceType') as instance_type, json_extract(cluster_config, '$.InstanceCount') as instance_countfrom aws_opensearch_domain;
List domains that are publicly accessible
Discover the segments that are publicly accessible, allowing you to identify potential vulnerabilities and enhance security measures. This is useful for maintaining a secure environment by preventing unauthorized access.
select domain_name, domain_id, arn, engine_version, createdfrom aws_opensearch_domainwhere vpc_options is null;
select domain_name, domain_id, arn, engine_version, createdfrom aws_opensearch_domainwhere vpc_options is null;
List domain log publishing options
Explore which AWS OpenSearch domains have specific log publishing options enabled. This can be useful in understanding the logging practices across your domains, helping ensure compliance with logging policies and troubleshoot any potential issues.
select domain_name, domain_id, log_publishing_optionsfrom aws_opensearch_domain;
select domain_name, domain_id, log_publishing_optionsfrom aws_opensearch_domain;
List domain Search slow logs details
Explore which domains have slow search log publishing enabled and where these logs are stored. This is useful for identifying potential performance issues and ensuring logs are properly archived for future analysis.
select domain_name, domain_id, log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' as enabled, log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' as cloud_watch_logs_log_group_arnfrom aws_opensearch_domain;
select domain_name, domain_id, json_extract( json_extract(log_publishing_options, '$.SEARCH_SLOW_LOGS'), '$.Enabled' ) as enabled, json_extract( json_extract(log_publishing_options, '$.SEARCH_SLOW_LOGS'), '$.CloudWatchLogsLogGroupArn' ) as cloud_watch_logs_log_group_arnfrom aws_opensearch_domain;
Schema for aws_opensearch_domain
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
access_policies | text | The IAM access policies of the domain. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
advanced_options | jsonb | Specifies the status of the advanced options. | |
advanced_security_options | jsonb | Specifies The current status of the OpenSearch domain's advanced security options. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) of the domain. | |
auto_software_update_enabled | boolean | Whether automatic service software updates are enabled for the domain. | |
auto_tune_options | jsonb | The current status of the domain's auto-tune options. | |
change_progress_details | jsonb | Information about a configuration change happening on the domain. | |
cluster_config | jsonb | The type and number of instances in the domain. | |
cognito_options | jsonb | The cognito options for the specified domain. | |
created | boolean | The domain creation status. | |
deleted | boolean | The domain deletion status. | |
domain_endpoint_options | jsonb | The current status of the domain's endpoint options. | |
domain_id | text | The unique identifier for the specified domain. | |
domain_name | text | = | The name of the domain. |
domain_processing_status | text | The status of any changes that are currently in progress for the domain. | |
ebs_options | jsonb | The EBSOptions for the specified domain. | |
encryption_at_rest_options | jsonb | The status of the encryption at rest options. | |
endpoint | text | The domain endpoint that is used to submit index and search requests. | |
endpoint_v2 | text | If IPAddressType to set to dualstack , a version 2 domain endpoint is provisioned. | |
endpoints | jsonb | Map containing the domain endpoints used to submit index and search requests. | |
engine_type | text | Specifies the EngineType of the domain. | |
engine_version | text | The domain's OpenSearch version. | |
ip_address_type | text | The type of IP addresses supported by the endpoint for the domain. | |
log_publishing_options | jsonb | Log publishing options for the given domain. | |
modifying_properties | jsonb | Information about the domain properties that are currently being modified. | |
node_to_node_encryption_options_enabled | boolean | Specifies the status of the node to node encryption status. | |
off_peak_window_options | jsonb | Options that specify a custom 10-hour window during which OpenSearch Service can perform configuration changes on the domain. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
processing | boolean | The status of the domain configuration. | |
region | text | The AWS Region in which the resource is located. | |
service_software_options | jsonb | The current status of the domain's service software. | |
snapshot_options | jsonb | Specifies the status of the snapshot options. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags assigned to the domain. | |
title | text | Title of the resource. | |
upgrade_processing | boolean | The status of the domain version upgrade. | |
vpc_options | jsonb | The vpc options for the specified domain. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_opensearch_domain