AWS opensearch-service documentation change
Summary
Clarified IAM policy element references and updated documentation links for Principal, Resource, ABAC, Condition elements, VPC security groups, and IAM policy creation. Added explicit links to IAM/VPC guides.
Security assessment
The changes improve documentation clarity about security-related IAM policy elements (Principal, Resource, Condition) and access control mechanisms (ABAC, VPC security groups). While these updates enhance security documentation accuracy, there is no evidence they address a specific security vulnerability or incident.
Diff
diff --git a/opensearch-service/latest/developerguide/ac.md b/opensearch-service/latest/developerguide/ac.md index ff85ccc92..e8b5505d0 100644 --- a//opensearch-service/latest/developerguide/ac.md +++ b//opensearch-service/latest/developerguide/ac.md @@ -30 +30 @@ OpenSearch Service supports three types of access policies: -You add a resource-based policy, often called the domain access policy, when you create a domain. These policies specify which actions a principal can perform on the domain's _subresources_ (with the exception of [cross-cluster search](./cross-cluster-search.html#cross-cluster-search-walkthrough)). Subresources include OpenSearch indexes and APIs. The [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) element specifies the accounts, users, or roles that are allowed access. The [Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) element specifies which subresources these principals can access. +You add a resource-based policy, often called the domain access policy, when you create a domain. These policies specify which actions a principal can perform on the domain's _subresources_ (with the exception of [cross-cluster search](./cross-cluster-search.html#cross-cluster-search-walkthrough)). Subresources include OpenSearch indexes and APIs. The [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) JSON policy element in IAM specifies the accounts, users, or roles that are allowed access. The [Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) JSON policy element specifies which subresources these principals can access. @@ -236 +236 @@ OpenSearch Service supports the `RequestTag` and `TagKeys` global condition keys -For more details on using tags for access control and the differences between resource-based and identity-based policies, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html). +For more details on using tags for access control and the differences between resource-based and identity-based policies, see the [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html.html) in the _IAM User Guide_. @@ -240 +240 @@ For more details on using tags for access control and the differences between re -IP-based policies restrict access to a domain to one or more IP addresses or CIDR blocks. Technically, IP-based policies are not a distinct type of policy. Instead, they are just resource-based policies that specify an anonymous principal and include a special [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) element. +IP-based policies restrict access to a domain to one or more IP addresses or CIDR blocks. Technically, IP-based policies are not a distinct type of policy. Instead, they are just resource-based policies that specify an anonymous principal and include a special Condition. For information, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_. @@ -246 +246,8 @@ The primary appeal of IP-based policies is that they allow unsigned requests to -If you enabled VPC access for your domain, you can't configure an IP-based policy. Instead, you can use [security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) to control which IP addresses can access the domain. For more information, see [About access policies on VPC domains](./vpc.html#vpc-security). +If you enabled VPC access for your domain, you can't configure an IP-based policy. Instead, you can use `security groups` to control which IP addresses can access the domain. For more information, see the following topics: + + * [About access policies on VPC domains](./vpc.html#vpc-security) + + * [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the _Amazon VPC User Guide_ + + + @@ -302 +309 @@ If your domain has a public endpoint and doesn't use [fine-grained access contro -Complexities arise when policies disagree or make no explicit mention of a user. [Understanding how IAM works](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) in the _IAM User Guide_ provides a concise summary of policy evaluation logic: +Complexities arise when policies disagree or make no explicit mention of a user. [How IAM works](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) in the _IAM User Guide_ provides a concise summary of policy evaluation logic: @@ -323 +330 @@ For example, if a resource-based policy grants you access to a domain subresourc -OpenSearch Service supports most policy elements in the [IAM Policy Elements Reference](http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html), with the exception of `NotPrincipal`. The following table shows the most common elements. +OpenSearch Service supports most policy elements in the [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html), with the exception of `NotPrincipal`. The following table shows the most common elements. @@ -363 +370 @@ To learn more about pairing actions and resources, see the `Resource` element in -`Condition` | OpenSearch Service supports most conditions that are described in [AWS global condition context keys](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the _IAM User Guide_. Notable exceptions include the `aws:PrincipalTag` key, which OpenSearch Service does not support. When configuring an IP-based policy, you specify the IP addresses or CIDR block as a condition, such as the following: +`Condition` | OpenSearch Service supports most conditions that are described in [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the _IAM User Guide_. Notable exceptions include the `aws:PrincipalTag` key, which OpenSearch Service does not support. When configuring an IP-based policy, you specify the IP addresses or CIDR block as a condition, such as the following: @@ -520 +527 @@ Specifying the * wildcard enables anonymous access to your domain. It is not rec - * For instructions on creating or modifying identity-based policies in IAM, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _IAM User Guide_. + * For instructions on creating or modifying identity-based policies in IAM, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _IAM User Guide_.