AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-08-13 · Documentation medium

File: opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md

Summary

Updated SAML configuration documentation with revised step-by-step instructions, added Okta-specific guidance, clarified attribute mappings (Subject key/Role key), and expanded OpenSearch Serverless configuration details

Security assessment

The changes improve documentation for SAML-based authentication/authorization (security feature) but do not address a specific vulnerability. Enhancements include explicit guidance for attribute mapping, IAM Federation enablement (disabled by default), and CLI examples for security configurations. While critical for secure implementations, these are routine documentation improvements rather than fixes for disclosed security issues.

Diff

diff --git a/opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md b/opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md
index f71183fea..1ee44ead5 100644
--- a//opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md
+++ b//opensearch-service/latest/developerguide/application-enable-SAML-identity-federation.md
@@ -485,0 +486,2 @@ Maps to group or role attributes in your IdP that determine the roles or permiss
+###### To configure Okta for fine-grained access control
+
@@ -492 +494 @@ Maps to group or role attributes in your IdP that determine the roles or permiss
-This attribute will be used as the `subjectKey` in the OpenSearch fine-grained access control configuration for authentication.
+This attribute is used as the **Subject key** in the OpenSearch fine-grained access control configuration for authentication.
@@ -499,0 +502,2 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
+This attribute is used as the **Role key** for mapping groups to OpenSearch fine-grained access control roles for authorization.
+
@@ -505 +509 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-  1. Open the AWS Management Console and navigate to the OpenSearch Service domain details page.
+###### To configure SAML in OpenSearch domain
@@ -507 +511 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-  2. Choose **Security configuration**.
+  1. In the AWS Management Console, identify the OpenSearch Service domain for which you want to enable fine-graned access control for the OpenSearch UI users.
@@ -509 +513 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-  3. Under IAM Federation Options, choose **Edit**.
+  2. Navigate to the details page of the specific domain.
@@ -511 +515 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-  4. Navigate to SAML via IAM Federation options.
+  3. Select the **Security configuration** tab and click **Edit**.
@@ -513 +517 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-  5. Enter the `subjectKey` and `rolesKey` that you defined in Okta.
+  4. Expand **SAML via IAM Federate**.
@@ -515 +519 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-  6. Choose **Save changes**.
+  5. Enter the `subjectKey` and `roleKey` that you defined in Okta.
@@ -516,0 +521 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
+  6. Select**Save changes**.
@@ -520 +525,2 @@ This attribute will be used as the `subjectKey` in the OpenSearch fine-grained a
-You can also configure fine-grained access control using the AWS CLI:
+
+You can also configure fine-grained access control using the AWS CLI.
@@ -550,2 +555,0 @@ To update an existing domain:
-Use the following procedure to configure SAML in OpenSearch Serverless collections.
-
@@ -558 +562,3 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  3. In the **IAM Federation** section, select **Edit**. This section controls the SAML-attribute based fine-grained access control feature and is disabled by default.
+  3. In the **IAM Federation** section, select **Edit**.
+
+You can control the SAML attribute-based fine-grained access control using this configuration. IAM Federation is disabled by default.
@@ -562 +568,5 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  5. Enter the `subjectKey` and `roleKey` values that you defined in Okta. Select _Save_.
+  5. Enter the `subjectKey` and `roleKey` values that you defined in Okta.
+
+For more information, see SAML attributes for fine-grained access control .
+
+  6. Select **Save**.
@@ -564 +574 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  6. In the navigation pane under **Serverless** , choose **Data access policy**.
+  7. In the navigation pane under **Serverless** , choose **Data access policy**.
@@ -566 +576 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  7. Either update an existing policy or create a new one.
+  8. Either update an existing policy or create a new one.
@@ -568 +578 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  8. Expand a rule, choose _Add principals_ , and then select _IAM Federation users and groups_.
+  9. Expand a rule, choose **Add principals** , and then select **IAM Federation users and groups**.
@@ -570 +580 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  9. Add the required principals and choose **Save**.
+  10. Add the required principals and choose **Save**.
@@ -572 +582 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  10. Choose _Grant_.
+  11. Choose **Grant**.
@@ -574 +584,7 @@ Use the following procedure to configure SAML in OpenSearch Serverless collectio
-  11. Select the permissions you want to define for the selected principals under this rule. Then specify the collections where you want to apply the permissions. Optionally, you can define index-level permissions. When finished, choose _Save_.
+  12. Under this rule, do the following:
+
+     * Select the permissions you want to define for the selected principals.
+
+     * Specify the collections where you want to apply the permissions.
+
+     * Optionally, define index-level permissions.
@@ -580 +596,6 @@ You can create multiple rules to assign different permissions to different group
-  12. Choose _Create_.
+  13. When finished, choose **Save**.
+
+  14. Choose **Create**.
+
+
+
@@ -581,0 +603 @@ You can create multiple rules to assign different permissions to different group
+Alternatively, you can use CLI to create the security configurations for collections, as given below:
@@ -583,0 +606 @@ You can create multiple rules to assign different permissions to different group
+    aws opensearchserverless create-security-config --region "region"  --type iamfederation --name "configuration_name" --description "description" --iam-federation-options '{"groupAttribute":"GroupKey","userAttribute":"UserKey"}'