AWS opensearch-service documentation change
Summary
Reworded IAM permissions section and simplified access policy recommendation
Security assessment
While the change mentions access policies, it doesn't introduce new security information or address specific vulnerabilities
Diff
diff --git a/opensearch-service/latest/developerguide/osis-get-started.md index f4b6df811..abfe82cb3 100644 --- a/opensearch-service/latest/developerguide/osis-get-started.md +++ b/opensearch-service/latest/developerguide/osis-get-started.md @@ -11 +11 @@ This tutorial shows you how to use Amazon OpenSearch Ingestion to configure a si -This tutorial walks you through the basic steps to get a pipeline up and running quickly. For more detailed information, see [Creating pipelines](./creating-pipeline.html#create-pipeline). +This tutorial walks you through the basic steps to get a pipeline up and running quickly. For more comprehensive instructions, see [Creating pipelines](./creating-pipeline.html#create-pipeline). @@ -39,3 +39 @@ Within the tutorial, you'll create the following resources: -To complete this tutorial, you must have the correct IAM permissions. Your user or role must have an attached [identity-based policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security-iam-serverless-id-based-policies) with the following minimum permissions. These permissions allow you to create a pipeline role (`iam:Create`), create or modify a domain (`es:*`), and work with pipelines (`osis:*`). - -In addition, the `iam:PassRole` permission is required on the pipeline role resource. This permission allows you to pass the pipeline role to OpenSearch Ingestion so that it can write data to the domain. +To complete this tutorial, your user or role must have an attached [identity-based policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html#security-iam-serverless-id-based-policies) with the following minimum permissions. These permissions allow you to create a pipeline role (`iam:Create`), create or modify a domain (`es:*`), and work with pipelines (`osis:*`). The `iam:PassRole` permission allows you to pass the pipeline role permissions to the pipeline so that it can write data to the domain. @@ -100 +98 @@ If you want to write data to an _existing_ domain, replace `ingestion-domain` wi -For simplicity in this tutorial, we use a fairly broad access policy. In production environments, however, we recommend that you apply a more restrictive access policy to your pipeline role. For an example policy that provides the minimum required permissions, see [Granting Amazon OpenSearch Ingestion pipelines access to domains](./pipeline-domain-access.html). +For simplicity in this tutorial, we use a broad access policy. In production environments, however, we recommend that you apply a more restrictive access policy to your pipeline role. For an example policy that provides the minimum required permissions, see [Granting Amazon OpenSearch Ingestion pipelines access to domains](./pipeline-domain-access.html).