AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-03-30 · Documentation low

File: opensearch-service/latest/developerguide/configure-client-s3.md

Summary

Updated placeholder formatting in IAM policy examples (removed curly braces from account-id), standardized terminology from 'YAML configuration' to 'pipeline configuration', and replaced example bucket names with generic placeholders

Security assessment

Changes involve documentation formatting improvements and example standardization without addressing specific vulnerabilities or introducing new security features. The ARN format corrections improve clarity but don't resolve a documented security flaw.

Diff

diff --git a/opensearch-service/latest/developerguide/configure-client-s3.md b/opensearch-service/latest/developerguide/configure-client-s3.md
index 8a1b13b09..b662a29d3 100644
--- a/opensearch-service/latest/developerguide/configure-client-s3.md
+++ b/opensearch-service/latest/developerguide/configure-client-s3.md
@@ -81 +81 @@ The following sample policy shows the required permissions for using S3 as a sou
-          "Resource": "arn:aws:s3:::amzn-s3-demo-/*"
+          "Resource": "arn:aws:s3:::bucket-name/*"
@@ -95 +95 @@ The following sample policy shows the required permissions for using S3 as a sou
-          "Resource": "arn:aws:sqs:us-west-2:{account-id}:MyS3EventSqsQueue"
+          "Resource": "arn:aws:sqs:us-west-2:account-id:MyS3EventSqsQueue"
@@ -109 +109 @@ You must attach these permissions to the IAM role that you specify in the `sts_r
-          **sts_role_arn** : arn:aws:iam::{account-id}:role/pipeline-role
+          **sts_role_arn** : arn:aws:iam::account-id:role/pipeline-role
@@ -133 +133 @@ To set up S3-SQS processing, configure your pipeline to specify S3 as the source
-            queue_url: "https://sqs.us-east-1.amazonaws.com/{account-id}/ingestion-queue"
+            queue_url: "https://sqs.us-east-1.amazonaws.com/account-id/ingestion-queue"
@@ -138 +138 @@ To set up S3-SQS processing, configure your pipeline to specify S3 as the source
-            sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+            sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -153 +153 @@ To set up S3-SQS processing, configure your pipeline to specify S3 as the source
-            sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+            sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -168 +168 @@ To configure your pipeline to read from Amazon S3, use the preconfigured Amazon
-A one-time scheduled scan runs once. In your YAML configuration, you can use a `start_time` and `end_time` to specify when you want the objects in the bucket to be scanned. Alternatively, you can use `range` to specify the interval of time relative to current time that you want the objects in the bucket to be scanned. 
+A one-time scheduled scan runs once. In your pipeline configuration, you can use a `start_time` and `end_time` to specify when you want the objects in the bucket to be scanned. Alternatively, you can use `range` to specify the interval of time relative to current time that you want the objects in the bucket to be scanned. 
@@ -184 +184 @@ The following configuration sets up a one-time scan for all buckets and all obje
-            sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+            sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -189 +189 @@ The following configuration sets up a one-time scan for all buckets and all obje
-                  name: amzn-s3-demo-1
+                  name: my-bucket
@@ -214 +214 @@ The following configuration sets up a one-time scan for all buckets and all obje
-              sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+              sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -218 +218 @@ The following configuration sets up a one-time scan for all buckets and all obje
-                bucket: "my-bucket-1"
+                bucket: "dlq-bucket"
@@ -220 +220 @@ The following configuration sets up a one-time scan for all buckets and all obje
-                sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+                sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -282 +282 @@ A recurring scheduled scan runs a scan of your specified S3 buckets at regular,
-In your YAML configuration, the `interval` specifies the frequency of the recurring scan, and can be between 30 seconds and 365 days. The first of these scans always occurs when you create the pipeline. The `count` defines the total number of scan instances.
+In your pipeline configuration, the `interval` specifies the frequency of the recurring scan, and can be between 30 seconds and 365 days. The first of these scans always occurs when you create the pipeline. The `count` defines the total number of scan instances.
@@ -354 +354 @@ You can grant access across accounts with Amazon S3 so that OpenSearch Ingestion
-Then, you can create a YAML configuration using `bucket_owners` to enable cross-account access to an Amazon S3 bucket as a source:
+Then, you can create a pipeline using `bucket_owners` to enable cross-account access to an Amazon S3 bucket as a source: