OpenSearch domains should be deployed within a VPC
Description
This control verifies if OpenSearch domains are deployed within a VPC. Note that this control does not assess the VPC network configuration to determine if the domain is publicly accessible.
Deploying OpenSearch domains within a VPC allows them to communicate with other VPC resources over AWS’s private network, avoiding public internet exposure. This setup enhances security by protecting data in transit. VPCs offer various network controls, such as security groups and network ACLs, to manage and secure access to OpenSearch domains. Transition public OpenSearch domains to VPCs to leverage these security features.
If you set up a domain with a public endpoint, you cannot move it into a VPC later. Instead, you need to create a new domain and transfer your data to it.
For guidance on deploying OpenSearch domains to a VPC and migrating data, refer to the Launching your Amazon OpenSearch Service domains within a VPC and Migrating data between domains and collections using Amazon OpenSearch Ingestion sections of the Amazon OpenSearch Service Developer Guide.
