OpenSearch Service Domain Software Updates
Overview
This check verifies that your Amazon OpenSearch Service domains are running the latest service software version. Service software updates include security patches, bug fixes, and performance improvements provided by AWS for the underlying OpenSearch platform.
Important distinction: Service software updates are different from engine version upgrades. Service software updates patch the platform infrastructure, while engine upgrades change the OpenSearch or Elasticsearch version itself.
Risk
Running outdated service software exposes your OpenSearch domains to known vulnerabilities that could compromise:
- Data confidentiality - Attackers may exploit unpatched vulnerabilities to access sensitive data
- Index integrity - Bugs or security flaws could corrupt or modify your search indices
- Service availability - AWS may isolate non-compliant domains, causing outages
- Account standing - Domains left unpatched for extended periods may face permanent deletion by AWS
Remediation Steps
Prerequisites
You need:
- AWS Console access with permissions to manage OpenSearch Service
- Knowledge of which OpenSearch domain needs updating
Required IAM permissions
Your IAM user or role needs these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:DescribeDomain",
"es:ListDomainNames",
"es:StartServiceSoftwareUpdate",
"es:UpdateDomainConfig"
],
"Resource": "arn:aws:es:us-east-1:<account-id>:domain/<domain-name>"
}
]
}
AWS Console Method
- Sign in to the AWS Console
- Navigate to Amazon OpenSearch Service
- In the left menu, click Domains
- Select the domain that needs updating
- Look for a banner or notification indicating a software update is available
- Click Actions in the top right
- Select Update from the dropdown
- Choose Apply update now (or schedule for a maintenance window)
- Click Confirm to start the update
Tip: Updates typically complete within minutes but may take longer for larger clusters. Your domain remains available during the update.
Enable Automatic Updates (Recommended)
To prevent this issue in the future, enable automatic software updates:
- In the OpenSearch console, select your domain
- Click Actions > Edit cluster configuration
- Scroll to Software update options
- Enable Automatic software update
- Click Save changes
AWS CLI (optional)
Check for pending updates:
aws opensearch describe-domain \
--domain-name <your-domain-name> \
--region us-east-1 \
--query 'DomainStatus.ServiceSoftwareOptions'
Look for UpdateAvailable: true in the output.
Apply the update immediately:
aws opensearch start-service-software-update \
--domain-name <your-domain-name> \
--region us-east-1
Schedule update for off-peak window:
aws opensearch start-service-software-update \
--domain-name <your-domain-name> \
--schedule-at OFF_PEAK_WINDOW \
--region us-east-1
Schedule update for a specific time:
aws opensearch start-service-software-update \
--domain-name <your-domain-name> \
--schedule-at TIMESTAMP \
--desired-start-time 1704067200 \
--region us-east-1
Note: desired-start-time is an epoch timestamp (seconds since Jan 1, 1970).
Enable automatic updates on an existing domain:
aws opensearch update-domain-config \
--domain-name <your-domain-name> \
--software-update-options AutoSoftwareUpdateEnabled=true \
--region us-east-1
CloudFormation (optional)
Use this template to create an OpenSearch domain with automatic software updates enabled:
AWSTemplateFormatVersion: '2010-09-09'
Description: OpenSearch domain with automatic service software updates enabled
Parameters:
DomainName:
Type: String
Description: Name for the OpenSearch domain
MinLength: 3
MaxLength: 28
AllowedPattern: '[a-z][a-z0-9\-]+'
Resources:
OpenSearchDomain:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: !Ref DomainName
EngineVersion: OpenSearch_2.11
ClusterConfig:
InstanceType: t3.small.search
InstanceCount: 1
EBSOptions:
EBSEnabled: true
VolumeType: gp3
VolumeSize: 10
SoftwareUpdateOptions:
AutoSoftwareUpdateEnabled: true
NodeToNodeEncryptionOptions:
Enabled: true
EncryptionAtRestOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'es:*'
Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*'
Outputs:
DomainArn:
Description: ARN of the OpenSearch domain
Value: !GetAtt OpenSearchDomain.Arn
DomainEndpoint:
Description: Endpoint of the OpenSearch domain
Value: !GetAtt OpenSearchDomain.DomainEndpoint
Key property: SoftwareUpdateOptions.AutoSoftwareUpdateEnabled: true
Deploy with:
aws cloudformation deploy \
--template-file template.yaml \
--stack-name opensearch-auto-update \
--parameter-overrides DomainName=my-domain \
--region us-east-1
Terraform (optional)
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
variable "domain_name" {
description = "Name of the OpenSearch domain"
type = string
}
resource "aws_opensearch_domain" "example" {
domain_name = var.domain_name
engine_version = "OpenSearch_2.11"
cluster_config {
instance_type = "t3.small.search"
instance_count = 1
}
ebs_options {
ebs_enabled = true
volume_type = "gp3"
volume_size = 10
}
# Enable automatic service software updates
software_update_options {
auto_software_update_enabled = true
}
encrypt_at_rest {
enabled = true
}
node_to_node_encryption {
enabled = true
}
domain_endpoint_options {
enforce_https = true
}
}
output "domain_arn" {
description = "ARN of the OpenSearch domain"
value = aws_opensearch_domain.example.arn
}
output "domain_endpoint" {
description = "Endpoint of the OpenSearch domain"
value = aws_opensearch_domain.example.endpoint
}
Key block: software_update_options { auto_software_update_enabled = true }
Apply with:
terraform init
terraform apply -var="domain_name=my-domain"
Verification
After applying the update, verify the domain is current:
- In the AWS Console, go to Amazon OpenSearch Service > Domains
- Select your domain
- Check that no update banner is displayed
- Under General information, confirm the service software version shows as current
CLI verification
aws opensearch describe-domain \
--domain-name <your-domain-name> \
--region us-east-1 \
--query 'DomainStatus.ServiceSoftwareOptions'
Expected output for a compliant domain:
{
"CurrentVersion": "R20231031-P2",
"NewVersion": "",
"UpdateAvailable": false,
"Cancellable": false,
"UpdateStatus": "COMPLETED",
"Description": "There is no software update available for this domain.",
"AutomatedUpdateDate": "2024-01-15T00:00:00+00:00",
"OptionalDeployment": false
}
Key indicators:
UpdateAvailable: false- No pending updatesUpdateStatus: COMPLETED- Last update finished successfully
Additional Resources
- Service software updates in Amazon OpenSearch Service
- Configuring a domain to use automated software updates
- Amazon OpenSearch Service Best Practices
Notes
- Update timing: Updates are usually fast (minutes) but larger clusters may take longer. Plan accordingly.
- Availability: Your domain remains available during service software updates. There is no downtime.
- Off-peak windows: If you configured an off-peak window for your domain, scheduling updates during this window minimizes impact.
- Staging first: For production workloads, test updates in a staging environment before applying to production.
- Automatic updates: AWS strongly recommends enabling automatic updates to stay protected against known vulnerabilities.
- Mandatory updates: Some updates may be mandatory and applied automatically by AWS if not addressed within a specified timeframe.