ES.7: ES domains should have >= 3 dedicated master nodes

What does AWS Security Hub ES.7 check?

ES.7 fails when a legacy Elasticsearch domain does not have at least three dedicated master nodes. Dedicated masters handle cluster-state coordination — which indices exist, where shards live, which node is healthy — separately from data nodes.

Why does ES.7 matter?

Master election is a quorum vote that needs an odd number greater than one to break ties. With no dedicated masters or only one, a single node loss can leave the cluster leaderless and stalled. Two master-eligible nodes is the dangerous case: a partition can leave each believing it is master, both accepting writes, producing two divergent cluster states that must be reconciled with data loss.

How do I fix ES.7?

1. Configure three dedicated master nodes on the domain.
2. Place the masters across three Availability Zones for partition tolerance.
3. Size the master instance type appropriately for the cluster's shard count.
4. Apply three dedicated masters as a baseline for production domains.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3