AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-04-23 · Documentation low

File: opensearch-service/latest/developerguide/ac.md

Summary

Clarified IAM policy element references and updated documentation links for Principal, Resource, ABAC, Condition elements, VPC security groups, and IAM policy creation. Added explicit links to IAM/VPC guides.

Security assessment

The changes improve documentation clarity about security-related IAM policy elements (Principal, Resource, Condition) and access control mechanisms (ABAC, VPC security groups). While these updates enhance security documentation accuracy, there is no evidence they address a specific security vulnerability or incident.

Diff

diff --git a/opensearch-service/latest/developerguide/ac.md b/opensearch-service/latest/developerguide/ac.md
index ff85ccc92..e8b5505d0 100644
--- a//opensearch-service/latest/developerguide/ac.md
+++ b//opensearch-service/latest/developerguide/ac.md
@@ -30 +30 @@ OpenSearch Service supports three types of access policies:
-You add a resource-based policy, often called the domain access policy, when you create a domain. These policies specify which actions a principal can perform on the domain's _subresources_ (with the exception of [cross-cluster search](./cross-cluster-search.html#cross-cluster-search-walkthrough)). Subresources include OpenSearch indexes and APIs. The [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) element specifies the accounts, users, or roles that are allowed access. The [Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) element specifies which subresources these principals can access.
+You add a resource-based policy, often called the domain access policy, when you create a domain. These policies specify which actions a principal can perform on the domain's _subresources_ (with the exception of [cross-cluster search](./cross-cluster-search.html#cross-cluster-search-walkthrough)). Subresources include OpenSearch indexes and APIs. The [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) JSON policy element in IAM specifies the accounts, users, or roles that are allowed access. The [Resource](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) JSON policy element specifies which subresources these principals can access.
@@ -236 +236 @@ OpenSearch Service supports the `RequestTag` and `TagKeys` global condition keys
-For more details on using tags for access control and the differences between resource-based and identity-based policies, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html).
+For more details on using tags for access control and the differences between resource-based and identity-based policies, see the [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html.html) in the _IAM User Guide_.
@@ -240 +240 @@ For more details on using tags for access control and the differences between re
-IP-based policies restrict access to a domain to one or more IP addresses or CIDR blocks. Technically, IP-based policies are not a distinct type of policy. Instead, they are just resource-based policies that specify an anonymous principal and include a special [Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) element.
+IP-based policies restrict access to a domain to one or more IP addresses or CIDR blocks. Technically, IP-based policies are not a distinct type of policy. Instead, they are just resource-based policies that specify an anonymous principal and include a special Condition. For information, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the _IAM User Guide_.
@@ -246 +246,8 @@ The primary appeal of IP-based policies is that they allow unsigned requests to
-If you enabled VPC access for your domain, you can't configure an IP-based policy. Instead, you can use [security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) to control which IP addresses can access the domain. For more information, see [About access policies on VPC domains](./vpc.html#vpc-security).
+If you enabled VPC access for your domain, you can't configure an IP-based policy. Instead, you can use `security groups` to control which IP addresses can access the domain. For more information, see the following topics: 
+
+  * [About access policies on VPC domains](./vpc.html#vpc-security)
+
+  * [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the _Amazon VPC User Guide_
+
+
+
@@ -302 +309 @@ If your domain has a public endpoint and doesn't use [fine-grained access contro
-Complexities arise when policies disagree or make no explicit mention of a user. [Understanding how IAM works](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) in the _IAM User Guide_ provides a concise summary of policy evaluation logic:
+Complexities arise when policies disagree or make no explicit mention of a user. [How IAM works](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html) in the _IAM User Guide_ provides a concise summary of policy evaluation logic:
@@ -323 +330 @@ For example, if a resource-based policy grants you access to a domain subresourc
-OpenSearch Service supports most policy elements in the [IAM Policy Elements Reference](http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html), with the exception of `NotPrincipal`. The following table shows the most common elements.
+OpenSearch Service supports most policy elements in the [IAM Policy Elements Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html), with the exception of `NotPrincipal`. The following table shows the most common elements.
@@ -363 +370 @@ To learn more about pairing actions and resources, see the `Resource` element in
-`Condition` |  OpenSearch Service supports most conditions that are described in [AWS global condition context keys](http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the _IAM User Guide_. Notable exceptions include the `aws:PrincipalTag` key, which OpenSearch Service does not support. When configuring an IP-based policy, you specify the IP addresses or CIDR block as a condition, such as the following:
+`Condition` |  OpenSearch Service supports most conditions that are described in [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys) in the _IAM User Guide_. Notable exceptions include the `aws:PrincipalTag` key, which OpenSearch Service does not support. When configuring an IP-based policy, you specify the IP addresses or CIDR block as a condition, such as the following:
@@ -520 +527 @@ Specifying the * wildcard enables anonymous access to your domain. It is not rec
-  * For instructions on creating or modifying identity-based policies in IAM, see [Creating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _IAM User Guide_.
+  * For instructions on creating or modifying identity-based policies in IAM, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _IAM User Guide_.