AWS opensearch-service documentation change
Summary
Updated example policy names and queue URLs to use concrete values (e.g., 'amzn-s3-demo-bucket') instead of placeholders in Security Lake integration documentation.
Security assessment
Clarifies configuration examples for security-related permissions but does not introduce new security features or address vulnerabilities. Improves accuracy of security setup documentation.
Diff
diff --git a/opensearch-service/latest/developerguide/configure-client-source-security-lake.md b/opensearch-service/latest/developerguide/configure-client-source-security-lake.md index e6d73d32f..a488b3104 100644 --- a//opensearch-service/latest/developerguide/configure-client-source-security-lake.md +++ b//opensearch-service/latest/developerguide/configure-client-source-security-lake.md @@ -45 +45 @@ Before you create your OpenSearch Ingestion pipeline, perform the following step -When you create a subscriber, Security Lake automatically creates two inline permissions policies—one for S3 and one for SQS. The policies take the following format: `AmazonSecurityLake-`{12345}`-S3` and `AmazonSecurityLake-`{12345}`-SQS`. To allow your pipeline to access the subscriber sources, you must associate the required permissions with your pipeline role. +When you create a subscriber, Security Lake automatically creates two inline permissions policies—one for S3 and one for SQS. The policies take the following format: `AmazonSecurityLake-`amzn-s3-demo-bucket`-S3` and `AmazonSecurityLake-`AWSDemo`-SQS`. To allow your pipeline to access the subscriber sources, you must associate the required permissions with your pipeline role. @@ -100 +100 @@ You must attach these permissions to the IAM role that you specify in the `sts_r - queue_url: "https://sqs.us-east-1amazonaws.com/account-id/AmazonSecurityLake-abcde-Main-Queue" + queue_url: "https://sqs.us-east-1amazonaws.com/account-id/AmazonSecurityLake-amzn-s3-demo-bucket-Main-Queue" @@ -113 +113 @@ After you add the permissions to the pipeline role, use the preconfigured Securi -You must specify the `queue_url` option within the `s3` source configuration, which is the Amazon SQS queue URL to read from. To format the URL, locate the **Subscription endpoint** in the subscriber configuration and change `arn:aws:` to `https://`. For example, `https://sqs.`us-east-1`amazonaws.com/`account-id`/AmazonSecurityLake-`abdcef`-Main-Queue`. +You must specify the `queue_url` option within the `s3` source configuration, which is the Amazon SQS queue URL to read from. To format the URL, locate the **Subscription endpoint** in the subscriber configuration and change `arn:aws:` to `https://`. For example, `https://sqs.`us-east-1`amazonaws.com/`account-id`/AmazonSecurityLake-`AWSDemo`-Main-Queue`.