Sold by: Lynxroute
Deployed on AWS
Free Trial
This product has charges associated with it for hardening, security configuration, and support.
OpenSearch is an open source search, analytics and observability suite: the OpenSearch engine (Java) plus OpenSearch Dashboards (Node), deployed single-node on one host. Unlike bare OpenSearch AMIs that ship the security plugin's well-known demo TLS certificates and a default admin password, and that expose the engine on port 9200 with no hardening, this Lynxroute build is ready out of the box: the demo certificates and admin password are replaced with per-instance values generated at first boot, the REST API on 9200 stays TLS-encrypted and authenticated, Dashboards is served through a TLS-terminating nginx with a startup readiness gate, UFW firewall pre-configured, and a CIS Level 1 hardened Ubuntu 24.04 LTS base.
Apache-2.0 engine and Dashboards - not Elastic SSPL - fully auditable, no vendor lock-in.
Overview
This is a repackaged software product wherein additional charges apply for hardening, security configuration, and support.
WHAT IS OPENSEARCH
OpenSearch is a community-driven, open source suite for search, log analytics and observability, forked from Elasticsearch and Kibana and now governed by the OpenSearch Software Foundation under the Linux Foundation. This image runs the suite single-node on one host: the OpenSearch engine (a Java/Lucene distributed search and analytics engine that indexes JSON documents and serves a REST API) and OpenSearch Dashboards (the Node visualization and management UI). It powers full-text and vector search, log and event analytics, dashboards, alerting and anomaly detection, with role-based access control and TLS enforced by the bundled security plugin. The engine and Dashboards are licensed Apache-2.0 - not Elastic SSPL - so the full stack is auditable with no vendor lock-in and no SaaS fees.
WHAT THIS AMI ADDS
Security hardening:
- The security plugin's well-known demo TLS certificates are regenerated per-instance at first boot (a fresh private certificate authority, node and admin certificates) - the demo certificates never reach your instance
- The default admin password is replaced with a strong password generated uniquely at first boot and written to /root/opensearch-credentials.txt (mode 0600)
- The REST API on port 9200 is TLS-encrypted and authenticated (the security plugin) so it is safe to expose for ingestion; the inter-node transport port 9300 is bound to 127.0.0.1 only
- Dashboards listens on 127.0.0.1:5601 and is reachable only through a TLS-terminating nginx on port 443, with a loading splash and readiness gate during startup
- The JVM heap is sized to the instance, locked into memory, and vm.max_map_count is set so the engine starts reliably
- UFW firewall pre-configured: only TCP 22, 443, and 9200 are open
- fail2ban, auditd, and AppArmor pre-configured
- CVE-scanned before every release
OS hardening (CIS Level 1):
- CIS Ubuntu 24.04 LTS Level 1 benchmark applied via ansible-lockdown
- auditd, SSH hardening, kernel hardening, IMDSv2 enforced
Compliance artifacts:
- SBOM - CycloneDX 1.6 at /etc/lynxroute/sbom.json
- CIS Conformance Report at /etc/lynxroute/cis-report.html
- CIS Tailored Profile at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md
Highlights
- OpenSearch security baked in: the security plugin's demo TLS certificates are regenerated per-instance at first boot and the default admin password is replaced with a unique generated one, the REST API on 9200 stays TLS-encrypted and authenticated, and Dashboards is reachable only through a TLS nginx - unlike bare OpenSearch AMIs that ship the well-known demo certificates and a default admin password and expose the engine with no hardening.
- CIS Level 1 hardened Ubuntu 24.04 LTS: auditd, fail2ban, AppArmor, SSH key-only, IMDSv2 enforced. CVE-scanned before every release. SBOM (CycloneDX) and CIS Conformance Report included.
- Full open-source search and analytics: full-text and vector search, log and observability analytics, Dashboards visualizations, alerting and anomaly detection, with TLS and role-based access control enforced by the bundled security plugin. Apache-2.0 engine and Dashboards - not Elastic SSPL, no vendor lock-in.
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (x86) Amazon Machine Image (AMI)
Latest version
Operating system
Ubuntu 24.04
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Free trial
Try this product free for 5 days according to the free trial terms set by the vendor. Usage-based pricing is in effect for usage beyond the free trial terms. Your free trial gets automatically converted to a paid subscription when the trial ends, but may be canceled any time before that.
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
m6i.xlarge Recommended | $0.05 |
m6i.large | $0.03 |
m6i.2xlarge | $0.07 |
Vendor refund policy
We do not offer refunds for this product. AWS infrastructure charges (EC2, EBS, data transfer) are billed separately by AWS and are not refundable by us.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
OpenSearch 3.7.0 - Initial release (June 2026)
- OpenSearch 3.7.0 engine + OpenSearch Dashboards (version-matched) on Ubuntu 24.04 LTS
- CIS Level 1 hardening applied (ansible-lockdown/UBUNTU24-CIS)
- CVE-scanned before every release
- The security plugin's well-known demo TLS certificates are regenerated per-instance at first boot (fresh CA, node and admin certificates)
- The default admin password is replaced with a unique generated password at first boot, written to /root/opensearch-credentials.txt (mode 0600)
- REST API on port 9200 is TLS-encrypted and authenticated; transport 9300 and the Dashboards backend 5601 are bound to 127.0.0.1
- Dashboards is fronted by a TLS-terminating nginx with a startup splash and readiness gate
- JVM heap sized to the instance and locked in memory; vm.max_map_count set for reliable startup
- UFW firewall pre-configured (ports 22, 443, 9200 only)
- fail2ban, auditd, AppArmor pre-configured
- SBOM (CycloneDX 1.6) at /etc/lynxroute/sbom.json
- CIS Conformance Report (OpenSCAP) at /etc/lynxroute/cis-report.html
- IMDSv2 enforced
Additional details
Usage instructions
- Launch instance (m6i.xlarge recommended; m6i.large minimum; 50 GB disk)
- Open Security Group - allow TCP 443 (Dashboards) and TCP 9200 (REST API) from your IP
- SSH: ssh -i key.pem ubuntu@<PUBLIC_IP>
- First launch takes about a minute while the engine warms up and per-instance certificates and the admin password are generated; until then https://<PUBLIC_IP>/ shows a loading page that refreshes automatically
- Read credentials: sudo cat /root/opensearch-credentials.txt
- Open https://<PUBLIC_IP>/ in your browser - accept the self-signed certificate warning - and log in to OpenSearch Dashboards as admin with the password from the credentials file
- Use the REST API over TLS with authentication: curl -k -u admin:<password> https://<PUBLIC_IP>:9200 Create an index, add a document, and search it: curl -k -u admin:<password> -X PUT https://<PUBLIC_IP>:9200/myindex curl -k -u admin:<password> -X POST https://<PUBLIC_IP>:9200/myindex/_doc -H 'Content-Type: application/json' -d '{"hello":"world"}' curl -k -u admin:<password> https://<PUBLIC_IP>:9200/myindex/_search
- In Dashboards, open Dashboards Management to create an index pattern over your data, then build visualizations
The admin password and per-instance TLS certificates are generated at first boot and the demo certificates are removed. The inter-node transport port 9300 and the Dashboards backend port 5601 are bound to 127.0.0.1 only and are not reachable from outside the instance. On a single node cluster health is yellow when an index requests replicas (there is no second node to place them on) - this is expected, not an error.
Replace the self-signed TLS certificate with a CA-signed certificate (or run sudo certbot --nginx) for production use.
Resources
Vendor resources
Support
Vendor support
Visit us online: https://lynxroute.com
For OpenSearch documentation: https://opensearch.org/docs/ For OpenSearch upstream issues:
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
This product has charges associated with it for seller support. Hossted Platform offers an intuitive dashboard and CLI that delivers comprehensive security, monitoring, logging, and applicative insights.
This product has charges associated with it for seller support. OpenSearch with OpenSearch Dashboards preinstalled and ready to use. A per-instance admin password is generated on first boot. Backed by 24/7 cloudimg support.
For customers interested in migrating to Amazon OpenSearch Service, Cloudtech can cut the migration timeline in half, saving both capital and human resources. Deliverables include automated schema conversion, data migration strategy, and data migration support.
This product has charges associated with it for the deployment and maintenance of AI Layer for Self-hosted OpenSearch on Ubuntu 24.04 with professional support by ATH. An AI Layer for self-hosted OpenSearch is an added intelligence layer that enhances search capabilities using machine learning and generative AI.
This product has charges associated with it for the deployment and maintenance of AI Layer for Self-hosted OpenSearch on Ubuntu 24.04 with professional support by ATH. An AI Layer for self-hosted OpenSearch is an added intelligence layer that enhances search capabilities using machine learning and generative AI.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.