Creating Snapshot Management Policies with Keystore Integration and Slack Notification Setup

[post-views]
November 28, 2024 · 3 min read
Creating Snapshot Management Policies with Keystore Integration and Slack Notification Setup

Step 1: Add AWS Credentials to the Keystore

To securely store your AWS credentials, use the OpenSearch keystore.

Add your AWS credentials to the OpenSearch keystore with the following commands:

./bin/opensearch-keystore add s3.client.default.access_key
./bin/opensearch-keystore add s3.client.default.secret_key

Enter your AWS access_key and secret_key when prompted. OpenSearch will use these stored credentials for S3 interactions.

Step 2: Connect to S3 Bucket

Now that your credentials are stored securely, configure OpenSearch to connect to your S3 bucket for snapshot storage.

Create the S3 repository by using the following command:

PUT _snapshot/my_s3_repository
{
  "type": "s3",
  "settings": {
    "bucket": "my-opensearch-backups",
    "region": "us-west-2"
  }
}

This sets up the S3 repository in OpenSearch, and OpenSearch will use the credentials from the keystore to interact with AWS.

Step 3: Create a Slack Notification Channel

To receive Slack notifications, you need to set up a notification channel in OpenSearch.

Create an Incoming Webhook in Slack:

  • Go to your Slack workspace and navigate to Apps.
  • Search for and select Incoming Webhooks.
  • Create a new webhook for a channel you want notifications to appear in (e.g., #backups).
  • Copy the webhook URL provided by Slack.

Create the Notification Channel in OpenSearch: With the Slack webhook URL in hand, create a Slack notification channel in OpenSearch:

PUT /_plugins/_notifications/channels/my_slack_channel
    {
      "type": "slack",
      "slack": {
        "webhook_url": "https://hooks.slack.com/services/your/webhook/url"
      }
    }

Replace https://hooks.slack.com/services/your/webhook/url with your actual Slack webhook URL.

Step 4: Retrieve the Notification Channel ID

Once the notification channel is created, you can retrieve its ID by listing all notification channels. This is done by running the following query in OpenSearch Dev Tools:

GET /_plugins/_notifications/channels

The response will include a list of channels, each with its id. Use the appropriate channel.id in your snapshot policy configuration.

Step 5: Create Snapshot Management Policy

Now, define a Snapshot Management (SM) policy that schedules snapshots every 8 hours, deletes snapshots older than 365 days, and sends notifications to Slack.

Here’s an example of how to configure the snapshot policy:

POST /_plugins/_sm/policies/my_sm_policy
{
  "sm_policy": {
    "name": "my_sm_policy",
    "description": "my_sm_policy",
    "creation": {
      "schedule": {
        "cron": {
          "expression": "0 */8 * * *"
        }
      }
    },
    "deletion": {
      "schedule": {
        "cron": {
          "expression": "0 */8 * * *"
        }
      },
      "condition": {
        "max_age": "365d",
        "min_count": 273,
        "max_count": 365
      }
    },
    "snapshot_config": {
      "indices": "*",
      "include_global_state": true,
      "repository": "my_s3_repository"
    },
    "schedule": {
      "interval": {
        "period": 1,
        "unit": "Minutes"
      }
    },
    "enabled": true,
    "notification": {
      "channel": {
        "id": "my_slack_channel"
      },
      "conditions": {
        "creation": true,
        "deletion": false,
        "failure": true,
        "time_limit_exceeded": false
      }
    }
  }
}

This policy will take snapshots every 8 hours and delete snapshots older than 365 days. Notifications will be sent to Slack for events related to snapshot creation and failure.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts