AWS opensearch-service documentation change
Summary
Added Step 5 for configuring SAML attribute-based fine-grained access control with detailed implementation tasks and CLI examples
Security assessment
The change adds documentation about SAML attribute-based access control configuration, which is a security feature enabling granular permissions. However, there's no evidence of addressing a specific security vulnerability.
Diff
diff --git a/opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md b/opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md index 251ae6b75..f71183fea 100644 --- a//opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md +++ b//opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md @@ -5 +5 @@ -Step 1: Set up identity provider application (Okta)Step 2: Set up AWS configuration for OktaStep 3: Create the Amazon OpenSearch Service access policy in IAMStep 4: Verify the identity provider-initiated Single Sign-On experience with SAML +Step 1: Set up identity provider application (Okta)Step 2: Set up AWS configuration for OktaStep 3: Create the Amazon OpenSearch Service access policy in IAMStep 4: Verify the identity provider-initiated Single Sign-On experience with SAMLStep 5: Configure SAML attribute-based fine-grained access control @@ -22,0 +23,2 @@ This topic presents step-by-step instructions for configuring SAML use with Open + * Step 5: Configure SAML attribute-based fine-grained access control + @@ -226 +228 @@ To create your AWS Identity and Access Management role, complete the following s -This topic provides information for configuring your IAM roles with access to OpenSearch services. We provide examples for two groups, `Alice` and `Bob`, to demonstrate how to achieve fine-grained access control for your user groups from Okta. +Learn how to configure your IAM roles for OpenSearch access control. With IAM roles, you can implement fine-grained access control for your Okta user groups to access OpenSearch resources. This topic demonstrates the IAM role-based configuration using two example groups. @@ -448,0 +451,134 @@ Result: +## Step 5: Configure SAML attribute-based fine-grained access control + +With Amazon OpenSearch Service, you can use fine-grained access control with SAML to map users and groups from your identity provider to OpenSearch fine-grained access control users and roles dynamically. You can scope these roles to specific OpenSearch domains and serverless collections, and define index-level permissions and document-level security. + +###### Note + +For more information about fine-grained access control, see [Fine-grained access control in Amazon OpenSearch Service](./fgac.html). + +###### Topics + + * SAML attributes for fine-grained access control + + * Task 1: Configure Okta for fine-grained access control + + * Task 2: Configure SAML in OpenSearch domain + + * Task 3: Configure SAML in OpenSearch Serverless collections + + + + +### SAML attributes for fine-grained access control + +**subjectKey** + + +Maps to a unique user attribute, such as email or username, that identifies the user for authentication. + +**rolesKey** + + +Maps to group or role attributes in your IdP that determine the roles or permissions for authorization. + +### Task 1: Configure Okta for fine-grained access control + + 1. Add a new attribute for the OpenSearch user principal in the **Attribute Statements** section: + + * Name: `UserName` + + * Value: `${user-email}` + +This attribute will be used as the `subjectKey` in the OpenSearch fine-grained access control configuration for authentication. + + 2. Add a group attribute for roles in the **Group Attribute Statement** section: + + * Name: `groups` + + * Filter: `OpenSearch_xxx` + + + + +### Task 2: Configure SAML in OpenSearch domain + + 1. Open the AWS Management Console and navigate to the OpenSearch Service domain details page. + + 2. Choose **Security configuration**. + + 3. Under IAM Federation Options, choose **Edit**. + + 4. Navigate to SAML via IAM Federation options. + + 5. Enter the `subjectKey` and `rolesKey` that you defined in Okta. + + 6. Choose **Save changes**. + + + + +You can also configure fine-grained access control using the AWS CLI: + + + aws opensearch create-domain \ + --domain-name testDomain \ + --engine-version OpenSearch_1.3 \ + --cluster-config InstanceType=r5.xlarge.search,InstanceCount=1,DedicatedMasterEnabled=false,ZoneAwarenessEnabled=false,WarmEnabled=false \ + --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:*","Resource":"arn:aws:es:us-east-1:12345678901:domain/neosaml10/*"}]}' \ + --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-2019-07"}' \ + --node-to-node-encryption-options '{"Enabled":true}' \ + --encryption-at-rest-options '{"Enabled":true}' \ + --advanced-security-options '{"Enabled":true,"InternalUserDatabaseEnabled":true,"MasterUserOptions":{"MasterUserName":"********","MasterUserPassword":"********"}, "IAMFederationOptions":{"Enabled": true,"SubjectKey":"TestSubjectKey","RolesKey":"TestRolesKey"}}' \ + --ebs-options "EBSEnabled=true,VolumeType=gp2,VolumeSize=300" \ + --no-verify-ssl \ + --endpoint-url https://es.us-east-1.amazonaws.com \ + --region us-east-1 + +To update an existing domain: + + + aws opensearch update-domain-config \ + --domain-name testDomain \ + --advanced-security-options '{"Enabled":true,"InternalUserDatabaseEnabled":true,"MasterUserOptions":{"MasterUserName":"********","MasterUserPassword":"********"}, "IAMFederationOptions":{"Enabled": true,"SubjectKey":"TestSubjectKey","RolesKey":"TestRolesKey"}}' \ + --ebs-options "EBSEnabled=true,VolumeType=gp2,VolumeSize=300" \ + --no-verify-ssl \ + --endpoint-url https://es.us-east-1.amazonaws.com \ + --region us-east-1 + +### Task 3: Configure SAML in OpenSearch Serverless collections + +Use the following procedure to configure SAML in OpenSearch Serverless collections. + +###### To configure SAML-based fine-grained access control in OpenSearch Serverless + + 1. Open the AWS Management Console and navigate to Amazon OpenSearch Service. + + 2. In the navigation pane, under **Serverless** , choose **Security** , and then choose **Authentication**. + + 3. In the **IAM Federation** section, select **Edit**. This section controls the SAML-attribute based fine-grained access control feature and is disabled by default. + + 4. Select **Enable IAM Federation**. + + 5. Enter the `subjectKey` and `roleKey` values that you defined in Okta. Select _Save_. + + 6. In the navigation pane under **Serverless** , choose **Data access policy**. + + 7. Either update an existing policy or create a new one. + + 8. Expand a rule, choose _Add principals_ , and then select _IAM Federation users and groups_. + + 9. Add the required principals and choose **Save**. + + 10. Choose _Grant_. + + 11. Select the permissions you want to define for the selected principals under this rule. Then specify the collections where you want to apply the permissions. Optionally, you can define index-level permissions. When finished, choose _Save_. + +###### Note + +You can create multiple rules to assign different permissions to different groups of principals. + + 12. Choose _Create_. + + + +