steampipe plugin install awssteampipe plugin install aws

Table: aws_opensearch_domain - Query AWS OpenSearch Service Domains using SQL

The AWS OpenSearch Service (successor to Amazon Elasticsearch Service) allows you to easily build, secure, and manage your own cost-effective search applications. With AWS OpenSearch Service, you can deploy and run OpenSearch (an open-source search and analytics suite) and its predecessor, Elasticsearch, on AWS without having to provision infrastructure or perform time-consuming setup and maintenance tasks. This service offers you direct access to the OpenSearch APIs and automatically takes care of the administrative operations.

Table Usage Guide

The aws_opensearch_domain table in Steampipe provides you with information about domains within the AWS OpenSearch Service. This table allows you as a DevOps engineer to query domain-specific details, including configurations, access policies, and associated metadata. You can utilize this table to gather insights on domains, such as their encryption status, node-to-node encryption options, automated snapshot settings, and more. The schema outlines the various attributes of the OpenSearch domain for you, including the domain ARN, domain ID, created date, and associated tags.

Examples

Basic info

Explore which domains are currently active on your AWS OpenSearch service. This query is particularly useful for gaining insights into the engine versions being used and when they were created, allowing you to better manage and update your domains.

select
  domain_name,
  domain_id,
  arn,
  engine_version,
  created
from
  aws_opensearch_domain;

select
  domain_name,
  domain_id,
  arn,
  engine_version,
  created
from
  aws_opensearch_domain;

List domains that are not encrypted at rest

Determine the areas in which domains are not encrypted at rest, allowing you to identify potential security vulnerabilities and take necessary actions to enhance data protection.

select
  domain_name,
  domain_id,
  encryption_at_rest_options ->> 'Enabled' as enabled,
  encryption_at_rest_options ->> 'KmsKeyId' as kms_key_id
from
  aws_opensearch_domain
where
  encryption_at_rest_options ->> 'Enabled' = 'false';

select
  domain_name,
  domain_id,
  json_extract(encryption_at_rest_options, '$.Enabled') as enabled,
  json_extract(encryption_at_rest_options, '$.KmsKeyId') as kms_key_id
from
  aws_opensearch_domain
where
  json_extract(encryption_at_rest_options, '$.Enabled') = 'false';

Get storage details for domains that are using EBS storage type

Identify the domains utilizing EBS storage by assessing their storage details. This can help in management and optimization of storage resources within those domains.

select
  domain_name,
  domain_id,
  ebs_options ->> 'VolumeSize' as volume_size,
  ebs_options ->> 'VolumeType' as volume_type,
  ebs_options ->> 'EBSEnabled' as ebs_enabled
from
  aws_opensearch_domain
where
  ebs_options ->> 'EBSEnabled' = 'true';

select
  domain_name,
  domain_id,
  json_extract(ebs_options, '$.VolumeSize') as volume_size,
  json_extract(ebs_options, '$.VolumeType') as volume_type,
  json_extract(ebs_options, '$.EBSEnabled') as ebs_enabled
from
  aws_opensearch_domain
where
  json_extract(ebs_options, '$.EBSEnabled') = 'true';

Get network details for each domain

Explore the network configuration of each domain to gain insights into their availability zones, security group IDs, subnet IDs, and VPC IDs. This could be useful for assessing the network structure and security measures implemented across different domains.

select
  domain_name,
  vpc_options ->> 'AvailabilityZones' as availability_zones,
  vpc_options ->> 'SecurityGroupIds' as security_group_ids,
  vpc_options ->> 'SubnetIds' as subnet_ids,
  vpc_options ->> 'VPCId' as vpc_id
from
  aws_opensearch_domain
where
  vpc_options ->> 'AvailabilityZones' is not null;

select
  domain_name,
  json_extract(vpc_options, '$.AvailabilityZones') as availability_zones,
  json_extract(vpc_options, '$.SecurityGroupIds') as security_group_ids,
  json_extract(vpc_options, '$.SubnetIds') as subnet_ids,
  json_extract(vpc_options, '$.VPCId') as vpc_id
from
  aws_opensearch_domain
where
  json_extract(vpc_options, '$.AvailabilityZones') is not null;

Get the instance details for each domain

Identify the configuration of each domain to understand its specific instance type and count. This can assist in managing resources and optimizing performance within the AWS OpenSearch service.

select
  domain_name,
  domain_id,
  cluster_config ->> 'InstanceType' as instance_type,
  cluster_config ->> 'InstanceCount' as instance_count
from
  aws_opensearch_domain;

select
  domain_name,
  domain_id,
  json_extract(cluster_config, '$.InstanceType') as instance_type,
  json_extract(cluster_config, '$.InstanceCount') as instance_count
from
  aws_opensearch_domain;

List domains that are publicly accessible

Discover the segments that are publicly accessible, allowing you to identify potential vulnerabilities and enhance security measures. This is useful for maintaining a secure environment by preventing unauthorized access.

select
  domain_name,
  domain_id,
  arn,
  engine_version,
  created
from
  aws_opensearch_domain
where
  vpc_options is null;

select
  domain_name,
  domain_id,
  arn,
  engine_version,
  created
from
  aws_opensearch_domain
where
  vpc_options is null;

List domain log publishing options

Explore which AWS OpenSearch domains have specific log publishing options enabled. This can be useful in understanding the logging practices across your domains, helping ensure compliance with logging policies and troubleshoot any potential issues.

select
  domain_name,
  domain_id,
  log_publishing_options
from
  aws_opensearch_domain;

select
  domain_name,
  domain_id,
  log_publishing_options
from
  aws_opensearch_domain;

List domain Search slow logs details

Explore which domains have slow search log publishing enabled and where these logs are stored. This is useful for identifying potential performance issues and ensuring logs are properly archived for future analysis.

select
  domain_name,
  domain_id,
  log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' as enabled,
  log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' as cloud_watch_logs_log_group_arn
from
  aws_opensearch_domain;

select
  domain_name,
  domain_id,
  json_extract(
    json_extract(log_publishing_options, '$.SEARCH_SLOW_LOGS'),
    '$.Enabled'
  ) as enabled,
  json_extract(
    json_extract(log_publishing_options, '$.SEARCH_SLOW_LOGS'),
    '$.CloudWatchLogsLogGroupArn'
  ) as cloud_watch_logs_log_group_arn
from
  aws_opensearch_domain;

Query examples

Control examples

Schema for aws_opensearch_domain

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
access_policies	text		The IAM access policies of the domain.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
advanced_options	jsonb		Specifies the status of the advanced options.
advanced_security_options	jsonb		Specifies The current status of the OpenSearch domain's advanced security options.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) of the domain.
auto_tune_options	jsonb		The current status of the domain's auto-tune options.
cluster_config	jsonb		The type and number of instances in the domain.
cognito_options	jsonb		The cognito options for the specified domain.
created	boolean		The domain creation status.
deleted	boolean		The domain deletion status.
domain_endpoint_options	jsonb		The current status of the domain's endpoint options.
domain_id	text		The unique identifier for the specified domain.
domain_name	text	=	The name of the domain.
ebs_options	jsonb		The EBSOptions for the specified domain.
encryption_at_rest_options	jsonb		The status of the encryption at rest options.
endpoint	text		The domain endpoint that is used to submit index and search requests.
endpoints	jsonb		Map containing the domain endpoints used to submit index and search requests.
engine_type	text		Specifies the EngineType of the domain.
engine_version	text		The domain's OpenSearch version.
log_publishing_options	jsonb		Log publishing options for the given domain.
node_to_node_encryption_options_enabled	boolean		Specifies the status of the node to node encryption status.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
processing	boolean		The status of the domain configuration.
region	text		The AWS Region in which the resource is located.
service_software_options	jsonb		The current status of the domain's service software.
snapshot_options	jsonb		Specifies the status of the snapshot options.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags assigned to the domain.
title	text		Title of the resource.
upgrade_processing	boolean		The status of the domain version upgrade.
vpc_options	jsonb		The vpc options for the specified domain.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_opensearch_domain