ES.6: ES domains should have >= 3 data nodes

What does AWS Security Hub ES.6 check?

ES.6 checks that each legacy Elasticsearch domain runs with at least three data nodes and passes only when InstanceCount is three or greater. A domain with one or two data nodes fails.

Why does ES.6 matter?

A single-node domain has no redundancy — any node failure or AZ event is a full outage. Two nodes is worse: the cluster can't hold a reliable quorum, so a network partition can split-brain, with both sides accepting writes independently and one side's writes discarded when the partition heals. Three nodes across zones is the floor for both availability and data integrity.

How do I fix ES.6?

1. Increase the domain's data-node count to three or more, ideally spread across three AZs.
2. Enable zone awareness so shards and replicas distribute across the zones.
3. Confirm shard and replica counts make use of the added nodes.
4. Standardise on a minimum of three data nodes for production domains.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3