AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-08-28 · Documentation low

File: opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md

Summary

Removed detailed JSON examples of IAM policies for CloudWatch Logs and OpenSearch Serverless access

Security assessment

The change removes policy examples but doesn't indicate any security vulnerability being addressed. It appears to be documentation cleanup rather than security-related.

Diff

diff --git a/opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md b/opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md
index 717deee2f..514f8954f 100644
--- a//opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md
+++ b//opensearch-service/latest/developerguide/direct-query-cloudwatch-logs-creating.md
@@ -146,49 +145,0 @@ In the following sample policy, replace the `placeholder text `with your own inf
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "AmazonOpenSearchDirectQueryAllLogsAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "logs:DescribeLogGroups",
-                    "logs:StartQuery",
-                    "logs:GetLogGroupFields"
-                ],
-                "Condition": {
-                    "StringEquals": {
-                        "aws:ResourceAccount": "accountId"
-                    }
-                },
-                "Resource": [
-                    "arn:aws:logs:region:accountId:log-group:*"
-                ]
-            }
-        ]
-    }
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "AmazonOpenSearchDirectQueryServerlessAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "aoss:APIAccessAll",
-                    "aoss:DashboardsAccessAll"
-                ],
-                "Resource": [
-                    "arn:aws:aoss:region:accountId:collection/ARN/*",
-                    "arn:aws:aoss:region:accountId:collection/ARN"
-                ]
-            }
-        ]
-    }
-    
-
@@ -197,27 +147,0 @@ The role must also have the following trust policy, which specifies the target I
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "TrustPolicyForAmazonOpenSearchDirectQueryService",
-                "Effect": "Allow",
-                "Principal": {
-                    "Service": "directquery.opensearchservice.amazonaws.com"
-                },
-                "Action": "sts:AssumeRole",
-                "Condition": {
-                    "ArnLike": {
-                        "aws:SourceArn": "arn:aws:opensearch:us-east-1::datasource/rolename"
-                    }
-                }
-            }
-        ]
-    }
-    
-