Opensearch.6: OpenSearch domains should have >= 3 data nodes

What does AWS Security Hub Opensearch.6 check?

Opensearch.6 fails when a domain is configured with fewer than three data nodes. The control reads the domain's ClusterConfig instance count, and three nodes across three Availability Zones is the resilience floor it enforces.

Why does Opensearch.6 matter?

A one- or two-node domain has no safe failure mode: a single node loss can take the cluster offline or, with an even count, allow a split-brain where two halves accept conflicting writes. Three master-eligible nodes give the cluster an odd quorum so a minority knows to step down, and zone awareness spreads them across AZs for genuine fault tolerance.

How do I fix Opensearch.6?

1. Audit each domain's ClusterConfig to find those running one or two data nodes.
2. Decide per domain whether it is worth funding for resilience or should simply be retired.
3. Raise the data-node count to at least three with zone awareness enabled, expecting a blue/green deployment.
4. Consider dedicated primary nodes for larger clusters to keep coordination stable.

# Fix the highest-impact data stores first: enable Multi-AZ on production databases.
for db in $(aws rds describe-db-instances \
    --query 'DBInstances[?MultiAZ==`false` && DBClusterIdentifier==null].DBInstanceIdentifier' --output text); do
  aws rds modify-db-instance --db-instance-identifier "$db" \
    --multi-az --apply-immediately
  echo "$db: standby being provisioned in a second AZ"
done

# Span a stateless compute fleet across three AZs, then mirror the set on its load balancer.
aws autoscaling update-auto-scaling-group --auto-scaling-group-name web-tier-asg \
  --vpc-zone-identifier "subnet-0aaa1,subnet-0bbb2,subnet-0ccc3"
aws elbv2 set-subnets --load-balancer-arn "$ALB_ARN" \
  --subnets subnet-0aaa1 subnet-0bbb2 subnet-0ccc3