AWS opensearch-service documentation change
Summary
Added section on configuring Lambda execution role permissions with IAM policies for OpenSearch Service managed domains and serverless collections
Security assessment
The change provides security-related documentation about required IAM permissions for Lambda functions to interact with OpenSearch, but does not address a specific security vulnerability. It prevents 'Access Denied' errors through proper configuration.
Diff
diff --git a/opensearch-service/latest/developerguide/search-example.md b/opensearch-service/latest/developerguide/search-example.md index 1c4ac3a0f..42c060559 100644 --- a//opensearch-service/latest/developerguide/search-example.md +++ b//opensearch-service/latest/developerguide/search-example.md @@ -274,0 +275,58 @@ If you have fine-grained access control enabled for the domain, you also need to +### Configure Lambda execution role permissions + +In addition to configuring the domain access policy, you must also ensure that the Lambda execution role has the necessary IAM permissions to access your OpenSearch Service domain. The Lambda function requires specific permissions depending on whether you're using a managed domain or OpenSearch Service Serverless collection. + +**For managed OpenSearch Service domains:** + +Attach the following IAM policy to your Lambda execution role to allow it to make requests to your OpenSearch Service domain: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:ESHttpGet", + "es:ESHttpPost" + ], + "Resource": "arn:aws:es:us-west-1:123456789012:domain/domain-name/*" + } + ] + } + +**For OpenSearch Service Serverless collections:** + +If you're using OpenSearch Service Serverless, attach the following IAM policy to your Lambda execution role: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "aoss:*", + "Resource": "arn:aws:aoss:us-west-1:123456789012:collection/collection-id" + } + ] + } + +To attach these policies to your Lambda execution role: + + 1. Navigate to the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + + 2. Choose **Roles** and search for your Lambda execution role (typically named `opensearch-lambda-role-`xxxxxxxx``). + + 3. Choose **Add permissions** , then **Create inline policy**. + + 4. Choose the **JSON** tab and paste the appropriate policy from above, replacing the placeholder values with your actual resource ARNs. + + 5. Choose **Review policy** , provide a name like `OpenSearchAccess`, and choose **Create policy**. + + + + +###### Note + +Without these IAM permissions, your Lambda function will receive "Access Denied" errors when attempting to query your OpenSearch Service domain, even if the domain access policy allows the requests. +