AWS Security ChangesHomeSearch

AWS opensearch-service high security documentation change

Service: opensearch-service · 2025-03-30 · Security-related high

File: opensearch-service/latest/developerguide/ac-managed.md

Summary

Added new IAM policy statement allowing sso:PutApplicationAccessScope with organizational ID condition for service-linked roles.

Security assessment

Modifies IAM permissions to control application access scope management, directly addressing authorization security controls for AWS IAM Identity Center integrations.

Diff

diff --git a/opensearch-service/latest/developerguide/ac-managed.md b/opensearch-service/latest/developerguide/ac-managed.md
index 21781ff15..a9a93a041 100644
--- a/opensearch-service/latest/developerguide/ac-managed.md
+++ b/opensearch-service/latest/developerguide/ac-managed.md
@@ -82,0 +83,15 @@ Change | Description | Date
+Updated the `AmazonOpenSearchServiceRolePolicy` |  Added the following statement to the policy. When Amazon OpenSearch Service assumes the `AWSServiceRoleForAmazonOpenSearchService` service-linked role, this new statement in the policy enables OpenSearch to update the access scope of any AWS IAM Identity Center application that is only managed by OpenSearch. 
+    
+    
+    {
+          "Effect": "Allow",
+          "Action": "sso:PutApplicationAccessScope",
+          "Resource": "arn:aws:sso::*:application/*/*",
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceOrgID": "${aws:PrincipalOrgID}"
+            }
+          }
+        }
+
+| 31 March 2025