AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-03-30 · Documentation low

File: opensearch-service/latest/developerguide/configure-client-self-managed-opensearch.md

Summary

Updated IAM ARN patterns by removing curly braces from placeholder values and changed permission documentation references

Security assessment

Changes involve syntax corrections in ARN templates and updated documentation links. No explicit security vulnerability or security feature addition is mentioned.

Diff

diff --git a/opensearch-service/latest/developerguide/configure-client-self-managed-opensearch.md b/opensearch-service/latest/developerguide/configure-client-self-managed-opensearch.md
index bbffd5092..ee6b6a2e4 100644
--- a/opensearch-service/latest/developerguide/configure-client-self-managed-opensearch.md
+++ b/opensearch-service/latest/developerguide/configure-client-self-managed-opensearch.md
@@ -35 +35 @@ The following sample domain access policy allows the pipeline role, which you cr
-            "AWS": "arn:aws:iam::{pipeline-account-id}:role/pipeline-role"
+            "AWS": "arn:aws:iam::pipeline-account-id:role/pipeline-role"
@@ -42 +42 @@ The following sample domain access policy allows the pipeline role, which you cr
-            "arn:aws:es:{region}:{account-id}:domain/domain-name"
+            "arn:aws:es:region:account-id:domain/domain-name"
@@ -48 +48 @@ The following sample domain access policy allows the pipeline role, which you cr
-To create an IAM role with the correct permissions to access write data to the collection or domain, see [Required permissions for domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/osis-get-started.html#osis-get-started-permissions) and [Required permissions for collections](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/osis-serverless-get-started.html#osis-serverless-get-started-permissions).
+To create an IAM role with the correct permissions to access write data to the collection or domain, see [Setting up roles and users in Amazon OpenSearch Ingestion](./pipeline-security-overview.html).
@@ -88 +88 @@ You can also migrate data from a source OpenSearch or Elasticsearch cluster to a
-              sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+              sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -102 +102 @@ You can also migrate data from a source OpenSearch or Elasticsearch cluster to a
-              sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+              sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -109 +109 @@ You can also migrate data from a source OpenSearch or Elasticsearch cluster to a
-            sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+            sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -146 +146 @@ The following sample domain access policy allows the pipeline role, which you cr
-            "AWS": "arn:aws:iam::{pipeline-account-id}:role/pipeline-role"
+            "AWS": "arn:aws:iam::pipeline-account-id:role/pipeline-role"
@@ -153 +153 @@ The following sample domain access policy allows the pipeline role, which you cr
-            "arn:aws:es:{region}:{account-id}:domain/domain-name"
+            "arn:aws:es:region:account-id:domain/domain-name"
@@ -159 +159 @@ The following sample domain access policy allows the pipeline role, which you cr
-To create an IAM role with the correct permissions to access write data to the collection or domain, see [Required permissions for domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/osis-get-started.html#osis-get-started-permissions) and [Required permissions for collections](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/osis-serverless-get-started.html#osis-serverless-get-started-permissions).
+To create an IAM role with the correct permissions to access write data to the collection or domain, see [Setting up roles and users in Amazon OpenSearch Ingestion](./pipeline-security-overview.html).
@@ -178 +178 @@ After you have your pipeline prerequisites set up, [configure the pipeline role]
-                "Resource": ["arn:aws:secretsmanager:{region}:{account-id}:secret:secret-name"]
+                "Resource": ["arn:aws:secretsmanager:region:account-id:secret:secret-name"]
@@ -192,3 +192,3 @@ After you have your pipeline prerequisites set up, [configure the pipeline role]
-                    "arn:aws:ec2:*:{account-id}:network-interface/*",
-                    "arn:aws:ec2:*:{account-id}:subnet/*",
-                    "arn:aws:ec2:*:{account-id}:security-group/*"
+                    "arn:aws:ec2:*:account-id:network-interface/*",
+                    "arn:aws:ec2:*:account-id:subnet/*",
+                    "arn:aws:ec2:*:account-id:security-group/*"
@@ -258 +258 @@ You can also migrate data from a source OpenSearch or Elasticsearch cluster to a
-              sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+              sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -272 +272 @@ You can also migrate data from a source OpenSearch or Elasticsearch cluster to a
-              sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+              sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"
@@ -279 +279 @@ You can also migrate data from a source OpenSearch or Elasticsearch cluster to a
-            sts_role_arn: "arn:aws:iam::{account-id}:role/pipeline-role"
+            sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"