AWS opensearch-service medium security documentation change
Summary
Removed collection admin policy example and added VpcSourceIp condition context
Security assessment
The addition of 'aws:VpcSourceIp' condition context demonstrates improved security controls for IP-based access restrictions. The removed deny policy example could reduce clarity but doesn't indicate a vulnerability.
Diff
diff --git a/opensearch-service/latest/developerguide/security-iam-serverless.md b/opensearch-service/latest/developerguide/security-iam-serverless.md index 7666162eb..7f1f52f0a 100644 --- a//opensearch-service/latest/developerguide/security-iam-serverless.md +++ b//opensearch-service/latest/developerguide/security-iam-serverless.md @@ -282,33 +281,0 @@ This policy is an example of a "collection admin" policy that allows a user to m -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Resource": "arn:aws:aoss:us-east-1::collection/*", - "Action": [ - "aoss:CreateCollection", - "aoss:DeleteCollection", - "aoss:UpdateCollection" - ], - "Effect": "Allow" - }, - { - "Resource": "*", - "Action": [ - "aoss:BatchGetCollection", - "aoss:ListCollections", - "aoss:CreateAccessPolicy", - "aoss:CreateSecurityPolicy" - ], - "Effect": "Allow" - } - ] - } - - @@ -429,0 +397,2 @@ Both `aoss:APIAccessAll` and `aoss:DashboardsAccessAll` give full IAM permission + * `aws:VpcSourceIp` + @@ -499,27 +467,0 @@ The following policy is an example to deny attached principals to access data pl -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Deny", - "Action": [ - "aoss:APIAccessAll", - "aoss:DashboardsAccessAll", - ], - "Resource": "arn:aws:aoss:region:account-id:collection/collection-id", - "Condition": { - "StringEquals": { - "aws:ResourceTag/environment": "production" - } - } - } - ] - } - -