AWS Security ChangesHomeSearch

AWS opensearch-service high security documentation change

Service: opensearch-service · 2025-04-23 · Security-related high

File: opensearch-service/latest/developerguide/pipeline-domain-access.md

Summary

Restructured documentation steps, added automatic role creation option, removed manual security condition configuration for pipeline roles, and simplified FGAC mapping instructions

Security assessment

Removed explicit guidance about adding aws:SourceAccount and aws:SourceArn condition keys to prevent confused deputy attacks. These conditions were previously recommended security measures, and their removal from documentation could lead to insecure role configurations if OpenSearch Ingestion's automatic role creation doesn't implicitly include equivalent protections. This creates potential for privilege escalation via confused deputy vulnerabilities.

Diff

diff --git a/opensearch-service/latest/developerguide/pipeline-domain-access.md b/opensearch-service/latest/developerguide/pipeline-domain-access.md
index ee2859140..20b5b7d77 100644
--- a//opensearch-service/latest/developerguide/pipeline-domain-access.md
+++ b//opensearch-service/latest/developerguide/pipeline-domain-access.md
@@ -5 +5 @@
-Step 1: Create a pipeline roleStep 2: Include the pipeline role in the domain access policyStep 3: Map the pipeline role (only for domains that use fine-grained access control)Step 4: Specify the role in the pipeline configuration
+Step 1: Create the pipeline roleStep 2: Configure data access for the domain
@@ -11 +11 @@ An Amazon OpenSearch Ingestion pipeline needs permission to write to the OpenSea
-Before you specify the role in your pipeline configuration, you must configure it with an appropriate trust relationship, and then grant it access to the domain within the domain access policy.
+###### Important
@@ -13 +13 @@ Before you specify the role in your pipeline configuration, you must configure i
-###### Topics
+You can choose to manually create the pipeline role, or you can have OpenSearch Ingestion create it for you during pipeline creation. If you choose automatic role creation, OpenSearch Ingestion adds all required permissions to the pipeline role access policy based on the source and sink that you choose. It creates a pipeline role in IAM with the prefix `OpenSearchIngestion-` and the suffix that you enter. For more information, see [Pipeline role](./pipeline-security-overview.html#pipeline-security-sink).
@@ -15 +15 @@ Before you specify the role in your pipeline configuration, you must configure i
-  * Step 1: Create a pipeline role
+If you have OpenSearch Ingestion create the pipeline role for you, you still need to include the role in the domain access policy and map it to a backend role (if the domain uses fine-graned access control), either before or after you create the pipeline. See step 2 for instructions. 
@@ -17 +17 @@ Before you specify the role in your pipeline configuration, you must configure i
-  * Step 2: Include the pipeline role in the domain access policy
+###### Topics
@@ -19 +19 @@ Before you specify the role in your pipeline configuration, you must configure i
-  * Step 3: Map the pipeline role (only for domains that use fine-grained access control)
+  * Step 1: Create the pipeline role
@@ -21 +21 @@ Before you specify the role in your pipeline configuration, you must configure i
-  * Step 4: Specify the role in the pipeline configuration
+  * Step 2: Configure data access for the domain
@@ -26 +26 @@ Before you specify the role in your pipeline configuration, you must configure i
-## Step 1: Create a pipeline role
+## Step 1: Create the pipeline role
@@ -28 +28 @@ Before you specify the role in your pipeline configuration, you must configure i
-The role that you specify in the **sts_role_arn** parameter of a pipeline configuration must have an attached permissions policy that allows it to send data to the domain sink. It must also have a trust relationship that allows OpenSearch Ingestion to assume the role. For instructions on how to attach a policy to a role, see [Adding IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) in the _IAM User Guide_.
+The pipeline role must have an attached permissions policy that allows it to send data to the domain sink. It must also have a trust relationship that allows OpenSearch Ingestion to assume the role. For instructions on how to attach a policy to a role, see [Adding IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html#add-policies-console) in the _IAM User Guide_.
@@ -30 +30 @@ The role that you specify in the **sts_role_arn** parameter of a pipeline config
-The following sample policy demonstrates the [least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) that you can provide in a pipeline configuration's **sts_role_arn** role for it to write to a single domain:
+The following sample policy demonstrates the [least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) that you can provide in a pipeline role for it to write to a single domain:
@@ -67,15 +67 @@ The role must have the following [trust relationship](https://docs.aws.amazon.co
-In addition, we recommend that you add the `aws:SourceAccount` and `aws:SourceArn` condition keys to the policy to protect yourself against the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html). The source account is the owner of the pipeline.
-
-For example, you could add the following condition block to the policy:
-    
-    
-    "Condition": {
-        "StringEquals": {
-            "aws:SourceAccount": "account-id"
-        },
-        "ArnLike": {
-            "aws:SourceArn": "arn:aws:osis:region:account-id:pipeline/*"
-        }
-    }
-
-## Step 2: Include the pipeline role in the domain access policy
+## Step 2: Configure data access for the domain
@@ -83 +69 @@ For example, you could add the following condition block to the policy:
-In order for a pipeline to write data to a domain, the domain must have a [domain-level access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource) that allows the **sts_role_arn** pipeline role to access it.
+In order for a pipeline to write data to a domain, the domain must have a [domain-level access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource) that allows the pipeline role to access it.
@@ -85 +71 @@ In order for a pipeline to write data to a domain, the domain must have a [domai
-The following sample domain access policy allows the pipeline role named `pipeline-role`, which you created in the previous step, to write data to the domain named `ingestion-domain`:
+The following sample domain access policy allows the pipeline role named `pipeline-role` to write data to the domain named `ingestion-domain`:
@@ -102 +88 @@ The following sample domain access policy allows the pipeline role named `pipeli
-## Step 3: Map the pipeline role (only for domains that use fine-grained access control)
+### Map the pipeline role (only for domains that use fine-grained access control)
@@ -106,7 +92 @@ If your domain uses [fine-grained access control](https://docs.aws.amazon.com/op
-**Scenario 1: Different master role and pipeline role** – If you're using an IAM Amazon Resource Name (ARN) as the master user and it's _different_ than the pipeline role (`sts_role_arn`), you need to map the pipeline role to the OpenSearch `all_access` backend role. This essentially adds the pipeline role as an additional master user. For more information, see [Additional master users](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters).
-
-**Scenario 2: Master user in the internal user database** – If your domain uses a master user in the internal user database and HTTP basic authentication for OpenSearch Dashboards, you can't pass the master username and password directly into the pipeline configuration. Instead, you need to map the pipeline role (`sts_role_arn`) to the OpenSearch `all_access` backend role. This essentially adds the pipeline role as an additional master user. For more information, see [Additional master users](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters).
-
-**Scenario 3: Same master role and pipeline role (uncommon)** – If you're using an IAM ARN as the master user, and it's the same ARN that you're using as the pipeline role (`sts_role_arn`), you don't need to take any further action. The pipeline has the required permissions to write to the domain. This scenario is uncommon because most environments use an admin role or some other role as the master role.
-
-The following image shows how to map the pipeline role to a backend role:
+  * **Scenario 1: Different master role and pipeline role** – If you're using an IAM Amazon Resource Name (ARN) as the master user and it's _different_ than the pipeline role, you need to map the pipeline role to the OpenSearch `all_access` backend role. This adds the pipeline role as an additional master user. For more information, see [Additional master users](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters).
@@ -114 +94 @@ The following image shows how to map the pipeline role to a backend role:
-![Backend roles section showing an AWSIAM role ARN for a pipeline role with a Remove option.](/images/opensearch-service/latest/developerguide/images/ingestion-fgac.png)
+  * **Scenario 2: Master user in the internal user database** – If your domain uses a master user in the internal user database and HTTP basic authentication for OpenSearch Dashboards, you can't pass the master username and password directly into the pipeline configuration. Instead, map the pipeline role to the OpenSearch `all_access` backend role. This adds the pipeline role as an additional master user. For more information, see [Additional master users](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters).
@@ -116 +96 @@ The following image shows how to map the pipeline role to a backend role:
-## Step 4: Specify the role in the pipeline configuration
+  * **Scenario 3: Same master role and pipeline role (uncommon)** – If you're using an IAM ARN as the master user, and it's the same ARN that you're using as the pipeline role, you don't need to take any further action. The pipeline has the required permissions to write to the domain. This scenario is uncommon because most environments use an administrator role or some other role as the master role.
@@ -118 +97,0 @@ The following image shows how to map the pipeline role to a backend role:
-In order to successfully create a pipeline, you must specify the pipeline role that you created in step 1 as the **sts_role_arn** parameter in your pipeline configuration. The pipeline assumes this role in order to sign requests to the OpenSearch Service domain sink.
@@ -120 +98,0 @@ In order to successfully create a pipeline, you must specify the pipeline role t
-In the `sts_role_arn` field, specify the ARN of the IAM pipeline role:
@@ -123,16 +101 @@ In the `sts_role_arn` field, specify the ARN of the IAM pipeline role:
-    version: "2"
-    log-pipeline:
-      source:
-        http:
-          path: "/${pipelineName}/logs"
-      processor:
-        - grok:
-            match:
-              log: [ "%{COMMONAPACHELOG}" ]
-      sink:
-        - opensearch:
-            hosts: [ "https://search-domain-name.us-east-1.es.amazonaws.com" ]
-            index: "my-index"
-            aws:
-              region: "region"
-              **sts_role_arn: "arn:aws:iam::account-id:role/pipeline-role"**
+The following image shows how to map the pipeline role to a backend role:
@@ -140 +103 @@ In the `sts_role_arn` field, specify the ARN of the IAM pipeline role:
-For a full reference of required and unsupported parameters, see [Supported plugins and options for Amazon OpenSearch Ingestion pipelines](./pipeline-config-reference.html).
+![Backend roles section showing an AWSIAM role ARN for a pipeline role with a Remove option.](/images/opensearch-service/latest/developerguide/images/ingestion-fgac.png)