AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-08-10 · Documentation medium

File: opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md

Summary

Added Step 5 for configuring SAML attribute-based fine-grained access control with detailed implementation tasks and CLI examples

Security assessment

The change adds documentation about SAML attribute-based access control configuration, which is a security feature enabling granular permissions. However, there's no evidence of addressing a specific security vulnerability.

Diff

diff --git a/opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md b/opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md
index 251ae6b75..f71183fea 100644
--- a//opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md
+++ b//opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md
@@ -5 +5 @@
-Step 1: Set up identity provider application (Okta)Step 2: Set up AWS configuration for OktaStep 3: Create the Amazon OpenSearch Service access policy in IAMStep 4: Verify the identity provider-initiated Single Sign-On experience with SAML
+Step 1: Set up identity provider application (Okta)Step 2: Set up AWS configuration for OktaStep 3: Create the Amazon OpenSearch Service access policy in IAMStep 4: Verify the identity provider-initiated Single Sign-On experience with SAMLStep 5: Configure SAML attribute-based fine-grained access control
@@ -22,0 +23,2 @@ This topic presents step-by-step instructions for configuring SAML use with Open
+  * Step 5: Configure SAML attribute-based fine-grained access control
+
@@ -226 +228 @@ To create your AWS Identity and Access Management role, complete the following s
-This topic provides information for configuring your IAM roles with access to OpenSearch services. We provide examples for two groups, `Alice` and `Bob`, to demonstrate how to achieve fine-grained access control for your user groups from Okta.
+Learn how to configure your IAM roles for OpenSearch access control. With IAM roles, you can implement fine-grained access control for your Okta user groups to access OpenSearch resources. This topic demonstrates the IAM role-based configuration using two example groups.
@@ -448,0 +451,134 @@ Result:
+## Step 5: Configure SAML attribute-based fine-grained access control
+
+With Amazon OpenSearch Service, you can use fine-grained access control with SAML to map users and groups from your identity provider to OpenSearch fine-grained access control users and roles dynamically. You can scope these roles to specific OpenSearch domains and serverless collections, and define index-level permissions and document-level security.
+
+###### Note
+
+For more information about fine-grained access control, see [Fine-grained access control in Amazon OpenSearch Service](./fgac.html).
+
+###### Topics
+
+  * SAML attributes for fine-grained access control 
+
+  * Task 1: Configure Okta for fine-grained access control
+
+  * Task 2: Configure SAML in OpenSearch domain
+
+  * Task 3: Configure SAML in OpenSearch Serverless collections
+
+
+
+
+### SAML attributes for fine-grained access control 
+
+**subjectKey**
+    
+
+Maps to a unique user attribute, such as email or username, that identifies the user for authentication.
+
+**rolesKey**
+    
+
+Maps to group or role attributes in your IdP that determine the roles or permissions for authorization.
+
+### Task 1: Configure Okta for fine-grained access control
+
+  1. Add a new attribute for the OpenSearch user principal in the **Attribute Statements** section:
+
+     * Name: `UserName`
+
+     * Value: `${user-email}`
+
+This attribute will be used as the `subjectKey` in the OpenSearch fine-grained access control configuration for authentication.
+
+  2. Add a group attribute for roles in the **Group Attribute Statement** section:
+
+     * Name: `groups`
+
+     * Filter: `OpenSearch_xxx`
+
+
+
+
+### Task 2: Configure SAML in OpenSearch domain
+
+  1. Open the AWS Management Console and navigate to the OpenSearch Service domain details page.
+
+  2. Choose **Security configuration**.
+
+  3. Under IAM Federation Options, choose **Edit**.
+
+  4. Navigate to SAML via IAM Federation options.
+
+  5. Enter the `subjectKey` and `rolesKey` that you defined in Okta.
+
+  6. Choose **Save changes**.
+
+
+
+
+You can also configure fine-grained access control using the AWS CLI:
+    
+    
+    aws opensearch create-domain \
+    --domain-name testDomain \
+    --engine-version OpenSearch_1.3 \
+    --cluster-config InstanceType=r5.xlarge.search,InstanceCount=1,DedicatedMasterEnabled=false,ZoneAwarenessEnabled=false,WarmEnabled=false \
+    --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:*","Resource":"arn:aws:es:us-east-1:12345678901:domain/neosaml10/*"}]}' \
+    --domain-endpoint-options '{"EnforceHTTPS":true,"TLSSecurityPolicy":"Policy-Min-TLS-1-2-2019-07"}' \
+    --node-to-node-encryption-options '{"Enabled":true}' \
+    --encryption-at-rest-options '{"Enabled":true}' \
+    --advanced-security-options '{"Enabled":true,"InternalUserDatabaseEnabled":true,"MasterUserOptions":{"MasterUserName":"********","MasterUserPassword":"********"}, "IAMFederationOptions":{"Enabled": true,"SubjectKey":"TestSubjectKey","RolesKey":"TestRolesKey"}}' \
+    --ebs-options "EBSEnabled=true,VolumeType=gp2,VolumeSize=300" \
+    --no-verify-ssl \
+    --endpoint-url https://es.us-east-1.amazonaws.com \
+    --region us-east-1
+
+To update an existing domain:
+    
+    
+    aws opensearch update-domain-config \
+    --domain-name testDomain \
+    --advanced-security-options '{"Enabled":true,"InternalUserDatabaseEnabled":true,"MasterUserOptions":{"MasterUserName":"********","MasterUserPassword":"********"}, "IAMFederationOptions":{"Enabled": true,"SubjectKey":"TestSubjectKey","RolesKey":"TestRolesKey"}}' \
+    --ebs-options "EBSEnabled=true,VolumeType=gp2,VolumeSize=300" \
+    --no-verify-ssl \
+    --endpoint-url https://es.us-east-1.amazonaws.com \
+    --region us-east-1
+
+### Task 3: Configure SAML in OpenSearch Serverless collections
+
+Use the following procedure to configure SAML in OpenSearch Serverless collections.
+
+###### To configure SAML-based fine-grained access control in OpenSearch Serverless
+
+  1. Open the AWS Management Console and navigate to Amazon OpenSearch Service.
+
+  2. In the navigation pane, under **Serverless** , choose **Security** , and then choose **Authentication**.
+
+  3. In the **IAM Federation** section, select **Edit**. This section controls the SAML-attribute based fine-grained access control feature and is disabled by default.
+
+  4. Select **Enable IAM Federation**.
+
+  5. Enter the `subjectKey` and `roleKey` values that you defined in Okta. Select _Save_.
+
+  6. In the navigation pane under **Serverless** , choose **Data access policy**.
+
+  7. Either update an existing policy or create a new one.
+
+  8. Expand a rule, choose _Add principals_ , and then select _IAM Federation users and groups_.
+
+  9. Add the required principals and choose **Save**.
+
+  10. Choose _Grant_.
+
+  11. Select the permissions you want to define for the selected principals under this rule. Then specify the collections where you want to apply the permissions. Optionally, you can define index-level permissions. When finished, choose _Save_.
+
+###### Note
+
+You can create multiple rules to assign different permissions to different groups of principals.
+
+  12. Choose _Create_.
+
+
+
+