AWS opensearch-service documentation change
Summary
Added steps for IAM Identity Center authentication, Natural Language Query/Amazon Q features, and S3 Vectors engine option. Renumbered subsequent steps.
Security assessment
The change introduces IAM Identity Center authentication as an optional security feature, which enhances access control but does not indicate a security vulnerability fix. Encryption and HTTPS settings remain unchanged (renumbered steps only).
Diff
diff --git a/opensearch-service/latest/developerguide/createupdatedomains.md b/opensearch-service/latest/developerguide/createupdatedomains.md index 3ed78e9ea..8886f819a 100644 --- a//opensearch-service/latest/developerguide/createupdatedomains.md +++ b//opensearch-service/latest/developerguide/createupdatedomains.md @@ -125 +125,7 @@ We _strongly_ recommend enabling fine-grained access control to protect the data - 23. For **Access policy** , choose an access policy or configure one of your own. If you choose to create a custom policy, you can configure it yourself or import one from another domain. For more information, see [Identity and Access Management in Amazon OpenSearch Service](./ac.html). + 23. (Optional) If you want to use IAM Identity Center (IDC) authentication to connect your existing identity source and give your AWS applications a common view of your users, choose **Enable API access authenticated with IAM Identity Center**. For more information, see [Trusted identity propagation overview](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html?icmpid=docs_console_unmapped) in the _IAM Identity Center User Guide._ + + 24. (Optional) In the **Advanced features** section, leave **Enable Natural Language Query Generation and Amazon Q Developer features** selected, if you want to use these features. + +Choose **Enable S3 Vectors as an engine option** for enhanced vector search options. For more information, see [(Preview) Advanced search capabilities with an Amazon S3 vector engine](./s3-vector-opensearch-integration-engine.html). + + 25. For **Access policy** , choose an access policy or configure one of your own. If you choose to create a custom policy, you can configure it yourself or import one from another domain. For more information, see [Identity and Access Management in Amazon OpenSearch Service](./ac.html). @@ -131 +137 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 24. (Optional) To require that all requests to the domain arrive over HTTPS, select **Require HTTPS for all traffic to the domain**. To enable node-to-node encryption, select **Node-to-node encryption**. For more information, see [Node-to-node encryption for Amazon OpenSearch Service](./ntn.html). To enable encryption of data at rest, select **Enable encryption of data at rest**. These options are pre-selected if you chose the Multi-AZ with Standby deployment option. + 26. (Optional) To require that all requests to the domain arrive over HTTPS, select **Require HTTPS for all traffic to the domain**. To enable node-to-node encryption, select **Node-to-node encryption**. For more information, see [Node-to-node encryption for Amazon OpenSearch Service](./ntn.html). To enable encryption of data at rest, select **Enable encryption of data at rest**. These options are pre-selected if you chose the Multi-AZ with Standby deployment option. @@ -133 +139 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 25. (Optional) Select **Use AWS owned key** to have OpenSearch Service create an AWS KMS encryption key on your behalf (or use the one that it already created). Otherwise, choose your own KMS key. For more information, see [Encryption of data at rest for Amazon OpenSearch Service](./encryption-at-rest.html). + 27. (Optional) Select **Use AWS owned key** to have OpenSearch Service create an AWS KMS encryption key on your behalf (or use the one that it already created). Otherwise, choose your own KMS key. For more information, see [Encryption of data at rest for Amazon OpenSearch Service](./encryption-at-rest.html). @@ -135 +141 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 26. For **Off-peak window** , select a start time to schedule service software updates and Auto-Tune optimizations that require a blue/green deployment. Off-peak updates help to minimize strain on a cluster's dedicated master nodes during high traffic periods. + 28. For **Off-peak window** , select a start time to schedule service software updates and Auto-Tune optimizations that require a blue/green deployment. Off-peak updates help to minimize strain on a cluster's dedicated master nodes during high traffic periods. @@ -137 +143 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 27. For **Auto-Tune** , choose whether to allow OpenSearch Service to suggest memory-related configuration changes to your domain to improve speed and stability. For more information, see [Auto-Tune for Amazon OpenSearch Service](./auto-tune.html). + 29. For **Auto-Tune** , choose whether to allow OpenSearch Service to suggest memory-related configuration changes to your domain to improve speed and stability. For more information, see [Auto-Tune for Amazon OpenSearch Service](./auto-tune.html). @@ -141 +147 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 28. (Optional) Select **Automatic software update** to enable automatic software updates. + 30. (Optional) Select **Automatic software update** to enable automatic software updates. @@ -143 +149 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 29. (Optional) Add tags to describe your domain so you can categorize and filter on that information. For more information, see [Tagging Amazon OpenSearch Service domains](./managedomains-awsresourcetagging.html). + 31. (Optional) Add tags to describe your domain so you can categorize and filter on that information. For more information, see [Tagging Amazon OpenSearch Service domains](./managedomains-awsresourcetagging.html). @@ -145 +151 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 30. (Optional) Expand and configure **Advanced cluster settings**. For a summary of these options, see Advanced cluster settings. + 32. (Optional) Expand and configure **Advanced cluster settings**. For a summary of these options, see Advanced cluster settings. @@ -147 +153 @@ If you enabled VPC access, you can't use IP-based policies. Instead, you can use - 31. Choose **Create**. + 33. Choose **Create**.