AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-03-02 · Documentation low

File: opensearch-service/latest/developerguide/osis-get-started.md

Summary

Reworded IAM permissions section and simplified access policy recommendation

Security assessment

While the change mentions access policies, it doesn't introduce new security information or address specific vulnerabilities

Diff

diff --git a/opensearch-service/latest/developerguide/osis-get-started.md
index f4b6df811..abfe82cb3 100644
--- a/opensearch-service/latest/developerguide/osis-get-started.md
+++ b/opensearch-service/latest/developerguide/osis-get-started.md
@@ -11 +11 @@ This tutorial shows you how to use Amazon OpenSearch Ingestion to configure a si
-This tutorial walks you through the basic steps to get a pipeline up and running quickly. For more detailed information, see [Creating pipelines](./creating-pipeline.html#create-pipeline).
+This tutorial walks you through the basic steps to get a pipeline up and running quickly. For more comprehensive instructions, see [Creating pipelines](./creating-pipeline.html#create-pipeline).
@@ -39,3 +39 @@ Within the tutorial, you'll create the following resources:
-To complete this tutorial, you must have the correct IAM permissions. Your user or role must have an attached [identity-based policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security-iam-serverless-id-based-policies) with the following minimum permissions. These permissions allow you to create a pipeline role (`iam:Create`), create or modify a domain (`es:*`), and work with pipelines (`osis:*`).
-
-In addition, the `iam:PassRole` permission is required on the pipeline role resource. This permission allows you to pass the pipeline role to OpenSearch Ingestion so that it can write data to the domain.
+To complete this tutorial, your user or role must have an attached [identity-based policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security-iam-serverless-id-based-policies) with the following minimum permissions. These permissions allow you to create a pipeline role (`iam:Create`), create or modify a domain (`es:*`), and work with pipelines (`osis:*`). The `iam:PassRole` permission allows you to pass the pipeline role permissions to the pipeline so that it can write data to the domain.
@@ -100 +98 @@ If you want to write data to an _existing_ domain, replace `ingestion-domain` wi
-For simplicity in this tutorial, we use a fairly broad access policy. In production environments, however, we recommend that you apply a more restrictive access policy to your pipeline role. For an example policy that provides the minimum required permissions, see [Granting Amazon OpenSearch Ingestion pipelines access to domains](./pipeline-domain-access.html).
+For simplicity in this tutorial, we use a broad access policy. In production environments, however, we recommend that you apply a more restrictive access policy to your pipeline role. For an example policy that provides the minimum required permissions, see [Granting Amazon OpenSearch Ingestion pipelines access to domains](./pipeline-domain-access.html).