Opensearch.10: OpenSearch should have latest software update

What does AWS Security Hub Opensearch.10 check?

Opensearch.10 fails when a domain has a pending service software update. This is the managed platform patch, not an engine version upgrade, and the control reads the domain's ServiceSoftwareOptions to see whether an available update has not been applied.

Why does Opensearch.10 matter?

Service software updates carry security fixes — the Log4j patches shipped this way. Left pending, an optional update eventually becomes mandatory and AWS applies it on its own schedule; neglect long enough and AWS will isolate and ultimately delete the domain. Patching on your own terms keeps both the security gap and that endgame off the table.

How do I fix Opensearch.10?

1. Read each domain's ServiceSoftwareOptions to see the current and available versions and whether the update is optional or required.
2. Start the update with the AWS CLI, scheduling it into the domain's off-peak window.
3. Reserve enough master-node headroom so the blue/green swap does not spike latency.
4. Turn on automatic service software updates so the finding stops recurring.

# Enable auto minor version upgrade on every RDS instance that has it disabled.
for id in $(aws rds describe-db-instances \
    --query 'DBInstances[?AutoMinorVersionUpgrade==`false`].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$id" \
    --auto-minor-version-upgrade --no-apply-immediately
done

# Move a deprecated Lambda function to a supported runtime.
aws lambda update-function-configuration --function-name auth-token-issuer \
  --runtime nodejs20.x

# Upgrade an out-of-support EKS control plane one minor version at a time (then catch up node groups).
aws eks update-cluster-version --name prod-payments --kubernetes-version 1.29