AWS opensearch-service high security documentation change
Summary
Added new IAM policy statement allowing sso:PutApplicationAccessScope with organizational ID condition for service-linked roles.
Security assessment
Modifies IAM permissions to control application access scope management, directly addressing authorization security controls for AWS IAM Identity Center integrations.
Diff
diff --git a/opensearch-service/latest/developerguide/ac-managed.md b/opensearch-service/latest/developerguide/ac-managed.md index 21781ff15..a9a93a041 100644 --- a/opensearch-service/latest/developerguide/ac-managed.md +++ b/opensearch-service/latest/developerguide/ac-managed.md @@ -82,0 +83,15 @@ Change | Description | Date +Updated the `AmazonOpenSearchServiceRolePolicy` | Added the following statement to the policy. When Amazon OpenSearch Service assumes the `AWSServiceRoleForAmazonOpenSearchService` service-linked role, this new statement in the policy enables OpenSearch to update the access scope of any AWS IAM Identity Center application that is only managed by OpenSearch. + + + { + "Effect": "Allow", + "Action": "sso:PutApplicationAccessScope", + "Resource": "arn:aws:sso::*:application/*/*", + "Condition": { + "StringEquals": { + "aws:ResourceOrgID": "${aws:PrincipalOrgID}" + } + } + } + +| 31 March 2025