AWS opensearch-service documentation change
Summary
Updated documentation links to more current Amazon Cognito and IAM guides, improved terminology consistency (e.g., 'AWS managed policy'), and clarified instructions for Cognito authentication setup.
Security assessment
Changes primarily involve link updates and clarifications without addressing specific vulnerabilities. Security-related sections (like MFA references) only maintain existing documentation rather than introducing new security content.
Diff
diff --git a/opensearch-service/latest/developerguide/cognito-auth.md b/opensearch-service/latest/developerguide/cognito-auth.md index 0c6d9016a..9ec621530 100644 --- a//opensearch-service/latest/developerguide/cognito-auth.md +++ b//opensearch-service/latest/developerguide/cognito-auth.md @@ -65 +65 @@ The user pool and identity pool must be in the same AWS Region. You can use the -User pools have two main features: create and manage a directory of users, and let users sign up and log in. For instructions to create a user pool, see [Create a User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html) in the _Amazon Cognito Developer Guide_. +User pools have two main features: create and manage a directory of users, and let users sign up and log in. For instructions to create a user pool, see [Getting started with user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html) in the _Amazon Cognito Developer Guide_. @@ -82 +82 @@ User pool IDs take the form of ``region`_`ID``. If you plan to use the AWS CLI o -Identity pools let you assign temporary, limited-privilege roles to users after they log in. For instructions about creating an identity pool, see [Identity Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html) in the _Amazon Cognito Developer Guide_. When you create an identity pool to use with OpenSearch Service, consider the following: +Identity pools let you assign temporary, limited-privilege roles to users after they log in. For instructions about creating an identity pool, see [Identity pools console overview](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html) in the _Amazon Cognito Developer Guide_. When you create an identity pool to use with OpenSearch Service, consider the following: @@ -97 +97 @@ Identity pool IDs take the form of ``region`:`ID`-`ID`-`ID`-`ID`-`ID``. If you p -OpenSearch Service needs permissions to configure the Amazon Cognito user and identity pools and use them for authentication. You can use `AmazonOpenSearchServiceCognitoAccess`, which is an AWS-managed policy, for this purpose. `AmazonESCognitoAccess` is a legacy policy that was replaced by `AmazonOpenSearchServiceCognitoAccess` when the service was renamed to Amazon OpenSearch Service. Both policies provide the minimum Amazon Cognito permissions necessary to enable [Cognito authentication](./cognito-auth.html). For the policy JSON, see the [IAM console](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonOpenSearchServiceCognitoAccess). +OpenSearch Service needs permissions to configure the Amazon Cognito user and identity pools and use them for authentication. You can use `AmazonOpenSearchServiceCognitoAccess`, which is an AWS managed policy, for this purpose. `AmazonESCognitoAccess` is a legacy policy that was replaced by `AmazonOpenSearchServiceCognitoAccess` when the service was renamed to Amazon OpenSearch Service. Both policies provide the minimum Amazon Cognito permissions necessary to enable Amazon Cognito authentication. For policy details, see [AmazonOpenSearchServiceCognitoAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonOpenSearchServiceCognitoAccess.html) in the _AWS Managed Policy Reference Guide_. @@ -144 +144 @@ If you use the AWS CLI or one of the AWS SDKs, you must create your own role, at -For instructions, see [Creating a Role to Delegate Permissions to an AWS Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) and [Attaching and Detaching IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the _IAM User Guide_. +For instructions, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) and [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the _IAM User Guide_. @@ -152 +152 @@ After you complete the prerequisites, you can configure an OpenSearch Service do -Amazon Cognito is not available in all AWS Regions. For a list of supported Regions, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html). You don't need to use the same Region for Amazon Cognito that you use for OpenSearch Service. +Amazon Cognito is not available in all AWS Regions. For a list of supported Regions;, see [Service endpoints](https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html#cognito_identity_region) for Amazon Cognito. You don't need to use the same Region for Amazon Cognito that you use for OpenSearch Service. @@ -156 +156 @@ Amazon Cognito is not available in all AWS Regions. For a list of supported Regi -Because it creates the CognitoAccessForAmazonOpenSearch role for you, the console offers the simplest configuration experience. In addition to the standard OpenSearch Service permissions, you need the following set of permissions to use the console to create a domain that uses Amazon Cognito authentication for OpenSearch Dashboards. +Because it creates the `CognitoAccessForAmazonOpenSearch` role for you, the console offers the simplest configuration experience. In addition to the standard OpenSearch Service permissions, you need the following set of permissions to use the console to create a domain that uses Amazon Cognito authentication for OpenSearch Dashboards. @@ -222 +222 @@ If `CognitoAccessForAmazonOpenSearch` already exists, you need fewer permissions - 6. For **Cognito user pool** , select a user pool or create one. For guidance, see About the user pool. + 6. For **Cognito user pool** , select a user pool or create one. For more information, see About the user pool. @@ -224 +224 @@ If `CognitoAccessForAmazonOpenSearch` already exists, you need fewer permissions - 7. For **Cognito identity pool** , select an identity pool or create one. For guidance, see About the identity pool. + 7. For **Cognito identity pool** , select an identity pool or create one. For more information, see About the identity pool. @@ -228 +228 @@ If `CognitoAccessForAmazonOpenSearch` already exists, you need fewer permissions -The **Create user pool** and **Create identity pool** links direct you to the Amazon Cognito console and require you to create these resources manually. The process is not automatic. To learn more, see Prerequisites. +The **Create user pool** and **Create identity pool** links direct you to the Amazon Cognito console and require you to create these resources manually. The process is not automatic. For more information, see Prerequisites. @@ -230 +230 @@ The **Create user pool** and **Create identity pool** links direct you to the Am - 8. For **IAM role name** , use the default value of `CognitoAccessForAmazonOpenSearch` (recommended) or enter a new name. To learn more about the purpose of this role, see About the CognitoAccessForAmazonOpenSearch role. + 8. For **IAM role name** , use the default value of `CognitoAccessForAmazonOpenSearch` (recommended) or enter a new name. For more information, see About the CognitoAccessForAmazonOpenSearch role. @@ -257 +257 @@ After your domain finishes processing, see Allowing the authenticated role and C -The AWS SDKs (except the Android and iOS SDKs) support all the operations that are defined in the [Amazon OpenSearch Service API Reference](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/Welcome.html), including the `CognitoOptions` parameter for the `CreateDomain` and `UpdateDomainConfig` operations. For more information about installing and using the AWS SDKs, see [AWS Software Development Kits](http://aws.amazon.com/code). +The AWS SDKs (except the Android and iOS SDKs) support all the operations that are defined in the [Amazon OpenSearch Service API Reference](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/Welcome.html), including the `CognitoOptions` parameter for the `CreateDomain` and `UpdateDomainConfig` operations. For more information about installing and using the AWS SDKs, see [AWS Software Development Kits](https://aws.amazon.com/code). @@ -306 +306 @@ To enable a SAML 2.0 identity provider, you must provide a SAML metadata documen -The easiest way to configure your user pool is to use the Amazon Cognito console. For instructions, see [Using Federation from a User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html) and [Specifying Identity Provider Settings for Your User Pool App](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html) in the _Amazon Cognito Developer Guide_. +The easiest way to configure your user pool is to use the Amazon Cognito console. For instructions, see [User pool sign-in with third party identity providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html) and [Application-specific settings with app client](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html) in the _Amazon Cognito Developer Guide_. @@ -323 +323 @@ For a walkthrough that includes fine-grained access control, see [Tutorial: Conf -Just like the default role, Amazon Cognito must be part of each additional role's trust relationship. For details, see [Creating Roles for Role Mapping](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#creating-roles-for-role-mapping) in the _Amazon Cognito Developer Guide_. +Just like the default role, Amazon Cognito must be part of each additional role's trust relationship. For details, see [Creating roles for role mapping](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#creating-roles-for-role-mapping) in the _Amazon Cognito Developer Guide_. @@ -327 +327 @@ Just like the default role, Amazon Cognito must be part of each additional role' -When you create a user group, you choose an IAM role for members of the group. For information about creating groups, see [User Groups](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) in the _Amazon Cognito Developer Guide_. +When you create a user group, you choose an IAM role for members of the group. For information about creating groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) in the _Amazon Cognito Developer Guide_. @@ -335 +335 @@ Rules are essentially a series of `if` statements that Amazon Cognito evaluates -To learn more, see [Using Rule-Based Mapping to Assign Roles to Users](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-rules-to-assign-roles-to-users) in the _Amazon Cognito Developer Guide_. +To learn more, see [Using rule-based mapping to assign roles to users](https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html#using-rules-to-assign-roles-to-users) in the _Amazon Cognito Developer Guide_. @@ -339 +339 @@ To learn more, see [Using Rule-Based Mapping to Assign Roles to Users](https://d -You can use the Amazon Cognito console to upload a custom logo and make CSS changes to the sign-in page. For instructions and a full list of CSS properties, see [Specifying App UI Customization Settings for Your User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-ui-customization.html) in the _Amazon Cognito Developer Guide_. +You can use the Amazon Cognito console to upload a custom logo and make CSS changes to the sign-in page. For instructions and a full list of CSS properties, see [Customizing hosted UI (classic) branding](https://docs.aws.amazon.com/cognito/latest/developerguide/hosted-ui-classic-branding.html) in the _Amazon Cognito Developer Guide_. @@ -343 +343 @@ You can use the Amazon Cognito console to upload a custom logo and make CSS chan -Amazon Cognito user pools support advanced security features like multi-factor authentication, compromised credential checking, and adaptive authentication. To learn more, see [Managing Security](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-security.html) in the _Amazon Cognito Developer Guide_. +Amazon Cognito user pools support advanced security features like multi-factor authentication, compromised credential checking, and adaptive authentication. To learn more, see [Using Amazon Cognito user pools security features](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-security.html) in the _Amazon Cognito Developer Guide_. @@ -449 +449 @@ Use the following procedure to disable Amazon Cognito authentication for Dashboa - 1. Open the Amazon OpenSearch Service console at [https://console.aws.amazon.com/aos/home/](https://console.aws.amazon.com/aos/home/). + 1. Open the [Amazon OpenSearch Service console](https://console.aws.amazon.com/aos/home/).