AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-04-23 · Documentation low

File: opensearch-service/latest/developerguide/encryption-at-rest.md

Summary

Updated documentation links and terminology related to AWS KMS encryption, including corrected section titles and URL paths in references

Security assessment

Changes involve documentation link corrections and terminology clarifications (e.g., expanding KMS acronym, updating URLs). While the context is security-related (encryption at rest), there's no evidence these changes address a specific security vulnerability or weakness. The modifications improve accuracy but don't introduce new security features or mitigate known issues.

Diff

diff --git a/opensearch-service/latest/developerguide/encryption-at-rest.md b/opensearch-service/latest/developerguide/encryption-at-rest.md
index d66d75144..46c946fb0 100644
--- a//opensearch-service/latest/developerguide/encryption-at-rest.md
+++ b//opensearch-service/latest/developerguide/encryption-at-rest.md
@@ -28 +28 @@ The following are _not_ encrypted when you enable encryption of data at rest, bu
-  * Slow logs and error logs: If you [publish logs](./createdomain-configure-slow-logs.html) and want to encrypt them, you can encrypt their CloudWatch Logs log group using the same AWS KMS key as the OpenSearch Service domain. For more information, see [Encrypt log data in CloudWatch Logs using AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) in the _Amazon CloudWatch Logs User Guide_.
+  * Slow logs and error logs: If you [publish logs](./createdomain-configure-slow-logs.html) and want to encrypt them, you can encrypt their CloudWatch Logs log group using the same AWS KMS key as the OpenSearch Service domain. For more information, see [Encrypt log data in CloudWatch Logs using AWS Key Management Service](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) in the _Amazon CloudWatch Logs User Guide_.
@@ -37 +37 @@ You can't enable encryption at rest on an existing domain if UltraWarm or cold s
-OpenSearch Service supports only symmetric encryption KMS keys, not asymmetric ones. To learn how to create symmetric keys, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the _AWS Key Management Service Developer Guide_.
+OpenSearch Service supports only symmetric encryption KMS keys, not asymmetric ones. To learn how to create symmetric keys, see [Create a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the _AWS Key Management Service Developer Guide_.
@@ -62 +62 @@ If you want to use a key other than the AWS owned key, you must also have permis
-If you want to keep your key exclusive to OpenSearch Service, you can add the [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-via-service) condition to that key policy:
+If you want to keep your key exclusive to OpenSearch Service, you can add the [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service) condition to that key policy:
@@ -74 +74 @@ If you want to keep your key exclusive to OpenSearch Service, you can add the [k
-For more information, see [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the _AWS Key Management Service Developer Guide_.
+For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/key-policies.html) in the _AWS Key Management Service Developer Guide_.
@@ -123 +123 @@ Each metric represents a significant problem for a domain, so we recommend that
-  * Automatic key rotation preserves the properties of your AWS KMS keys, so the rotation has no effect on your ability to access your OpenSearch data. Encrypted OpenSearch Service domains don't support manual key rotation, which involves creating a new key and updating any references to the old key. To learn more, see [Rotating keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) in the _AWS Key Management Service Developer Guide_.
+  * Automatic key rotation preserves the properties of your AWS KMS keys, so the rotation has no effect on your ability to access your OpenSearch data. Encrypted OpenSearch Service domains don't support manual key rotation, which involves creating a new key and updating any references to the old key. To learn more, see [Rotate AWS KMS keys](https://docs.aws.amazon.com/kms/latest/rotate-keys.html) in the _AWS Key Management Service Developer Guide_.