AWS opensearch-service documentation change
Summary
Removed two JSON policy examples for Cognito authentication and role assumptions
Security assessment
Removal of authentication policy examples reduces guidance for secure Cognito integration but doesn't fix a security issue. Could impact proper implementation of authZ mechanisms.
Diff
diff --git a/opensearch-service/latest/developerguide/cognito-auth.md b/opensearch-service/latest/developerguide/cognito-auth.md index 92d8b305e..864309fef 100644 --- a//opensearch-service/latest/developerguide/cognito-auth.md +++ b//opensearch-service/latest/developerguide/cognito-auth.md @@ -294,26 +293,0 @@ For the `Principal`, specify the ARN of the Cognito authenticated role that you -JSON - - -**** - - - - { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Principal":{ - "AWS":[ - "arn:aws:iam:::role/Cognito_identitypoolnameAuth_Role" - ] - }, - "Action":[ - "es:ESHttp*" - ], - "Resource":"arn:aws:es:us-east-1::domain/domain-name/*" - } - ] - } - - @@ -455,29 +428,0 @@ When I sign out of OpenSearch Dashboards from one tab, the remaining tabs displa - -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Principal": { - "Federated": "cognito-identity.amazonaws.com" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Resource": "arn:aws:iam::111122223333:role/cognito-role", - "Condition": { - "StringEquals": { - "cognito-identity.amazonaws.com:aud": "identity-pool-id" - }, - "ForAnyValue:StringLike": { - "cognito-identity.amazonaws.com:amr": "authenticated" - } - } - }] - } - -