AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-08-28 · Documentation low

File: opensearch-service/latest/developerguide/configure-client-self-managed-kafka.md

Summary

Removed JSON policy example containing Secrets Manager access, EC2 network interface permissions, and tagging conditions

Security assessment

While the policy included security-sensitive actions (secrets access), the removal appears to be cleaning up examples rather than addressing a specific vulnerability. The conditional tag requirement was a security control but its removal from docs doesn't indicate a vulnerability fix.

Diff

diff --git a/opensearch-service/latest/developerguide/configure-client-self-managed-kafka.md b/opensearch-service/latest/developerguide/configure-client-self-managed-kafka.md
index b30ac9601..da0b04b2f 100644
--- a//opensearch-service/latest/developerguide/configure-client-self-managed-kafka.md
+++ b//opensearch-service/latest/developerguide/configure-client-self-managed-kafka.md
@@ -175,64 +174,0 @@ After you have your pipeline prerequisites set up, [configure the pipeline role]
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "SecretsManagerReadAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "secretsmanager:GetSecretValue"
-                ],
-                "Resource": ["arn:aws:secretsmanager:us-east-1::secret:secret-name"]
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:AttachNetworkInterface",
-                    "ec2:CreateNetworkInterface",
-                    "ec2:CreateNetworkInterfacePermission",
-                    "ec2:DeleteNetworkInterface",
-                    "ec2:DeleteNetworkInterfacePermission",
-                    "ec2:DetachNetworkInterface",
-                    "ec2:DescribeNetworkInterfaces"
-                ],
-                "Resource": [
-                    "arn:aws:ec2:*:*:network-interface/*",
-                    "arn:aws:ec2:*:*:subnet/*",
-                    "arn:aws:ec2:*:*:security-group/*"
-                ]
-            },
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:DescribeDhcpOptions",
-                    "ec2:DescribeRouteTables",
-                    "ec2:DescribeSecurityGroups",
-                    "ec2:DescribeSubnets",
-                    "ec2:DescribeVpcs",
-                    "ec2:Describe*"
-                ],
-                "Resource": "*"
-            },
-            { 
-                "Effect": "Allow",
-                "Action": [ 
-                    "ec2:CreateTags"
-                ],
-                "Resource": "arn:aws:ec2:*:*:network-interface/*",
-                "Condition": { 
-                   "StringEquals": 
-                        {
-                            "aws:RequestTag/OSISManaged": "true"
-                        } 
-                } 
-            }
-        ]
-    }
-    
-