Skip to content

Terraform AWS OpenSearch

OpenSearch domains with VPC placement, encryption at rest, node to node encryption, fine grained access control, audit logs, TLS enforcement, and snapshot configuration.

11 controls enforced21 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "opensearch" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cis.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "nis2.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

module "opensearch" {
  source  = "soc2.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "opensearch" {
  source  = "terraform-aws-modules/opensearch/aws"
  version = "1.0"
}

module "opensearch" {
  source  = "soc2.compliance.tf/terraform-aws-modules/opensearch/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "opensearch" {
  source  = "terraform-aws-modules/opensearch/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML3-7.8: Multi-factor authentication ML3

ACSC-EE-ML3-8.7: Regular backups ML3

ISM-0859: Event log retention

Data protection

Detection

Identity and access management

Infrastructure protection

11.10(e) Use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records

11.10(g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand

11.30 Controls for open systems

Your Data-1

Your Data-2

Your Systems-3

7.1 Data Storage - Damage Protection

Account Management (AC-2)

Boundary Protection (SC-7)

AC-2(g)

Boundary Protection (SC-7)

Protection of Information at Rest (SC-28)

SC-8(1) Cryptographic Or Alternate Physical Protection

Session Authenticity (SC-23)

Transmission Integrity (SC-8)

D2.MA.Ma.B.1

D2.MA.Ma.B.2

D3.DC.An.B.3

D3.DC.An.B.4

D3.PC.Am.B.12

Article 32 Security of processing

164.308(a)(1)(ii)(B) Risk Management

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.312(a)(1) Access control

164.312(a)(2)(iv) Encryption and decryption

164.312(e)(1) Transmission security

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.1 User endpoint devices

A.8.2 Privileged access rights

A.8.11 Data masking

A.8.12 Data leakage prevention

A.8.14 Redundancy of information processing facilities

A.8.15 Logging

A.8.24 Use of cryptography

3 Incident handling

11 Access control

3.5.10 Store and transmit only cryptographically-protected passwords

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks

3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

3.13.16: Protect the confidentiality of CUI at rest.

AC-4(22) Access Only

AC-24(1)

AU-9(3) Cryptographic Protection

CA-9(b)

CP-9(d)

Information Flow Enforcement (AC-4)

Non-Repudiation (AU-10)

PM-17(b)

SC-7(4)(b)

SC-7(4)(g)

SC-8(1): Cryptographic Protection

SC-8(2) Pre- And Post-Transmission Handling

SC-8(3) Cryptographic Protection For Message Externals

SC-8(4) Conceal Or Ramdomize Communications

SC-8(5) Protected Distribution System

SC-13(a)

SC-28(1): Cryptographic Protection

Session Authenticity (SC-23)

SI-1(a)(2)

SI-19(4) Removal, Masking, Encryption, Hashing, Or Replacement Of Direct Identifiers

Transmission Confidentiality And Integrity (SC-8)

ID.BE-5

PR.DS-1

PR.DS-02

PR.DS-2

PR.PS-04

500.07 Access Privileges and Management

500.14(a)

500.15(a)

1.2.5: Network security controls (NSCs) are configured and maintained.

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

2.2.5: System components are configured and managed securely.

2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons

2.2.7: System components are configured and managed securely.

3.5.1: Primary account number (PAN) is secured wherever it is stored.

4.2.1: PAN is protected with strong cryptography during transmission.

4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained

4.2.1.1: PAN is protected with strong cryptography during transmission.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

7.2.1: Access to system components and data is appropriately defined and assigned.

7.2.2: Access to system components and data is appropriately defined and assigned.

7.2.5: Access to system components and data is appropriately defined and assigned.

7.2.6: Access to system components and data is appropriately defined and assigned.

7.3.1: Access to system components and data is managed via an access control system(s).

7.3.2: Access to system components and data is managed via an access control system(s).

7.3.3: Access to system components and data is managed via an access control system(s).

8.2.7: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.2.8: If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session

8.2.8: User identification and related accounts for users and administrators are strictly managed throughout an accounts lifecycle.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

8.3.4: Strong authentication for users and administrators is established and managed.

10.5.1: Audit log history is retained and available for analysis.

10.5.1: Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

Annex I (1.3)

Annex I (7.4)

3.1.a Identification and Classification of Information Assets

8.I Basic Security Aspects

A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives

CC7.3 The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlAWS Well-Architected Framework v10ISO/IEC 27001:2022PCI DSS v4.0Title 21 CFR Part 11NYDFS Cybersecurity RegulationRBI Cyber Security Framework for UCBsHIPAA Omnibus Rule 2013NIST Cybersecurity Framework v2.0
Elasticsearch domain error logging to CloudWatch Logs should be enabled
OpenSearch domains should have audit logging enabled
OpenSearch domains should have Cognito authentication enabled for Kibana
OpenSearch domains should have at least three data nodes
OpenSearch domains should have encryption at rest enabled
OpenSearch domains should have fine-grained access control enabled
OpenSearch domains should use HTTPS
OpenSearch domains should be in a VPC
OpenSearch domains internal user database should be disabled
OpenSearch domains should have logging to CloudWatch Logs enabled
OpenSearch domains node-to-node encryption should be enabled

Showing top 8 frameworks by coverage. All framework endpoints →