AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-06-13 · Documentation medium

File: opensearch-service/latest/developerguide/security-iam-serverless.md

Summary

Added ABAC support for OpenSearch API data plane operations with tag-based policies, removed ABAC restriction note, and added new condition keys (aws:SourceVpc, aws:SourceVpce).

Security assessment

Expands security controls by enabling ABAC for data plane operations and documenting tag-based access policies. No evidence of addressing a specific vulnerability.

Diff

diff --git a/opensearch-service/latest/developerguide/security-iam-serverless.md b/opensearch-service/latest/developerguide/security-iam-serverless.md
index a5f3ae42e..8895139b3 100644
--- a//opensearch-service/latest/developerguide/security-iam-serverless.md
+++ b//opensearch-service/latest/developerguide/security-iam-serverless.md
@@ -160,4 +159,0 @@ For more information about ABAC, see [Define permissions with ABAC authorization
-###### Important
-
-OpenSearch Serverless supports attribute-based access control (ABAC) for control plane operations only. ABAC is not supported for data plane operations such as indexing and searching data within collections. For data plane access control, use data access policies as described in [Data access control for Amazon OpenSearch Serverless](./serverless-data-access.html).
-
@@ -203,0 +200,2 @@ For details about actions and resource types defined by Amazon OpenSearch Server
+  * ABAC for OpenSearch API operations
+
@@ -378,0 +377,2 @@ Both `aoss:APIAccessAll` and `aoss:DashboardsAccessAll` give full IAM permission
+  * `aws:ResourceTag`
+
@@ -380,0 +381,4 @@ Both `aoss:APIAccessAll` and `aoss:DashboardsAccessAll` give full IAM permission
+  * `aws:SourceVpce`
+
+  * `aws:SourceVpc`
+
@@ -393 +397,10 @@ The following is an example of using `aws:SourceIp` in the condition block in yo
-             "aws:SourceIp": "52.95.4.14"
+             "aws:SourceIp": "203.0.113.0"
+        }
+    }
+
+The following is an example of using `aws:SourceVpc` in the condition block in your principal's IAM policy for data plane calls:
+    
+    
+    "Condition": {
+        "StringEquals": {
+            "aws:SourceVpc": "vpc-0fdd2445d8EXAMPLE"
@@ -414,0 +428,45 @@ The following is an example of using `aoss:collection` in the condition block in
+### ABAC for OpenSearch API operations
+
+Identity-based policies let you use tags to control access to Amazon OpenSearch Serverless data plane APIs. The following policy is an example to allow attached principals to access data plane APIs if the collection has the `team:devops` tag:
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": "aoss:APIAccessAll",
+                "Resource": "arn:aws:aoss:region:account-id:collection/collection-id",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceTag/team": "devops"
+                    }
+                }
+            }
+        ]
+    }
+
+The following policy is an example to deny attached principals to access data plane APIs and Dashboards access if the collection has the `environment:production` tag:
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Deny",
+                "Action": [
+                    "aoss:APIAccessAll",
+                    "aoss:DashboardsAccessAll",
+                ],
+                "Resource": "arn:aws:aoss:region:account-id:collection/collection-id",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceTag/environment": "production"
+                    }
+                }
+            }
+        ]
+    }
+
+Amazon OpenSearch Serverless do not support `RequestTag` and `TagKeys` global condition keys for data plane APIs. 
+