AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-08-28 · Documentation medium

File: opensearch-service/latest/developerguide/direct-query-security-lake-creating.md

Summary

Added requirements for LakeFormation permissions (DESCRIBE/SELECT) when querying Security Lake data

Security assessment

The change explicitly documents required granular permissions for secure access to Security Lake resources, improving security guidance but not addressing a specific vulnerability.

Diff

diff --git a/opensearch-service/latest/developerguide/direct-query-security-lake-creating.md b/opensearch-service/latest/developerguide/direct-query-security-lake-creating.md
index 76835826b..7ce235c59 100644
--- a//opensearch-service/latest/developerguide/direct-query-security-lake-creating.md
+++ b//opensearch-service/latest/developerguide/direct-query-security-lake-creating.md
@@ -141 +141 @@ When creating a data source, you choose an IAM role to manage access to your dat
-If you use a manually created role, you need to attach the correct permissions to the role. The permissions must allow access to the specific data source, and allow OpenSearch Service to assume the role. This is required so that the OpenSearch Service can securely access and interact with your data. 
+If you use a manually created role, you need to attach the correct permissions to the role. The permissions must allow access to the specific data source, and allow OpenSearch Service to assume the role so that OpenSearch Service can securely access and interact with your data. Additionally, grant LakeFormation permissions to the role for any databases and tables that you want to query. Grant `DESCRIBE` permissions to the role on SecurityLake databases that you want to query from the direct query connection. Grant at least `SELECT` and `DESCRIBE` permissions to the data source role for tables within the database.