AWS opensearch-service medium security documentation change
Summary
Removed AWS CLI FIPS configuration section, updated endpoint examples to use 'AWS Region' placeholder, added Python SDK code example with AWSV4SignerAuth, and streamlined FIPS endpoint documentation
Security assessment
The changes focus on FIPS-compliant endpoint usage, which is a security-related compliance standard. Removing CLI references while emphasizing SDK authentication (AWSV4SignerAuth) and endpoint validation aligns with cryptographic module requirements. FIPS documentation directly addresses federal security standards.
Diff
diff --git a/opensearch-service/latest/developerguide/fips-compliance-opensearch-serverless.md b/opensearch-service/latest/developerguide/fips-compliance-opensearch-serverless.md index 2f0147a2b..db5e2050a 100644 --- a//opensearch-service/latest/developerguide/fips-compliance-opensearch-serverless.md +++ b//opensearch-service/latest/developerguide/fips-compliance-opensearch-serverless.md @@ -5 +5 @@ -Using FIPS endpoints with OpenSearch ServerlessUse FIPS endpoints with the AWS CLIUse FIPS endpoints with AWS SDKsConfigure security groups for VPC endpointsUse the FIPS VPC endpointVerify FIPS compliance +Using FIPS endpoints with OpenSearch ServerlessUse FIPS endpoints with AWS SDKsConfigure security groups for VPC endpointsUse the FIPS VPC endpointVerify FIPS compliance @@ -17,2 +16,0 @@ OpenSearch Serverless FIPS endpoints are available in AWS Regions where FIPS is - * Use FIPS endpoints with the AWS CLI - @@ -36 +34 @@ In AWS Regions where FIPS is supported, OpenSearch Serverless collections are ac -In the following examples, replace `collection_id` and `region` with your collection ID and its AWS Region. +In the following examples, replace `collection_id` and `AWS Region` with your collection ID and its AWS Region. @@ -38 +36 @@ In the following examples, replace `collection_id` and `region` with your collec - * **Standard endpoint** – `https://`collection_id`.`region`.aoss.amazonaws.com`. + * **Standard endpoint** – `https://`collection_id`.`AWS Region`.aoss.amazonaws.com`. @@ -40 +38 @@ In the following examples, replace `collection_id` and `region` with your collec - * **FIPS-compliant endpoint** – `https://`collection_id`.`region`.aoss-fips.amazonaws.com`. + * **FIPS-compliant endpoint** – `https://`collection_id`.`AWS Region`.aoss-fips.amazonaws.com`. @@ -47,5 +45 @@ Similarly, OpenSearch Dashboards are accessible through both standard and FIPS-c - * **Standard Dashboards endpoint** – `https://`collection_id`.`region`.aoss.amazonaws.com/_dashboards`. - - * **FIPS-compliant Dashboards endpoint** – `https://`collection_id`.`region`.aoss-fips.amazonaws.com/_dashboards`. - - + * **Standard Dashboards endpoint** – `https://`collection_id`.`AWS Region`.aoss.amazonaws.com/_dashboards`. @@ -52,0 +47 @@ Similarly, OpenSearch Dashboards are accessible through both standard and FIPS-c + * **FIPS-compliant Dashboards endpoint** – `https://`collection_id`.`AWS Region`.aoss-fips.amazonaws.com/_dashboards`. @@ -54 +48,0 @@ Similarly, OpenSearch Dashboards are accessible through both standard and FIPS-c -For API operations, the FIPS-compliant endpoint follows this format: @@ -56 +49,0 @@ For API operations, the FIPS-compliant endpoint follows this format: -`aoss-fips.`region`.amazonaws.com` @@ -58,3 +50,0 @@ For API operations, the FIPS-compliant endpoint follows this format: -The following is an example endpoint in the US East (N. Virginia) Region: - -`aoss-fips.us-east-1.amazonaws.com` @@ -66,16 +55,0 @@ In FIPS-enabled Regions, both standard and FIPS-compliant endpoints provide FIPS -## Use FIPS endpoints with the AWS CLI - -To configure the AWS CLI to use FIPS endpoints for OpenSearch Serverless operations, set the `--endpoint-url` parameter to the FIPS endpoint when making API calls: - - - aws opensearchserverless create-collection \ - --name my-collection \ - --type SEARCH \ - --endpoint-url https://aoss-fips.us-east-1.amazonaws.com - -You can also configure the AWS CLI to always use FIPS endpoints for OpenSearch Serverless by adding the following to your AWS CLI configuration file (`~/.aws/config`): - - - [profile your-profile-name] - aoss-fips = true - @@ -84,10 +58 @@ You can also configure the AWS CLI to always use FIPS endpoints for OpenSearch S -When using AWS SDKs, you can specify the FIPS endpoint when creating the client: - - - // Java SDK example - AmazonOpenSearchServerlessClientBuilder clientBuilder = AmazonOpenSearchServerlessClientBuilder.standard() - .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration( - "https://aoss-fips.us-east-1.amazonaws.com", - "us-east-1")) - .withCredentials(credentialsProvider); - AmazonOpenSearchServerless client = clientBuilder.build(); +When using AWS SDKs, you can specify the FIPS endpoint when creating the client. In the following example, replace `collection_id` and `AWS Region` with your collection ID and its AWS Region. @@ -96,0 +62 @@ When using AWS SDKs, you can specify the FIPS endpoint when creating the client: + from opensearchpy import OpenSearch, RequestsHttpConnection, AWSV4SignerAuth @@ -98,4 +64,12 @@ When using AWS SDKs, you can specify the FIPS endpoint when creating the client: - client = boto3.client( - 'opensearchserverless', - region_name='us-east-1', - endpoint_url='https://aoss-fips.us-east-1.amazonaws.com' + host = '"https://collection_id.AWS Region.aoss-fips.amazonaws.com" + region = 'us-west-2' + service = 'aoss' + credentials = boto3.Session().get_credentials() + auth = AWSV4SignerAuth(credentials, region, service) + client = OpenSearch( + hosts = [{'host': host, 'port': 443}], + http_auth = auth, + use_ssl = True, + verify_certs = True, + connection_class = RequestsHttpConnection, + pool_maxsize = 20 @@ -110 +84 @@ To ensure proper communication with your FIPS-compliant Amazon VPC (VPC) endpoin -After creating the FIPS-compliant VPC endpoint, you can use it to access OpenSearch Serverless from resources within your VPC. To use the endpoint for API operations, configure your AWS CLI or SDK to use the regional FIPS endpoint as described in the Using FIPS endpoints with OpenSearch Serverless section. For OpenSearch Dashboards access, use the collection-specific Dashboards URL, which will automatically route through the FIPS-compliant VPC endpoint when accessed from within your VPC. For more information, see [Using OpenSearch Dashboards with Amazon OpenSearch Service](./dashboards.html). +After creating the FIPS-compliant VPC endpoint, you can use it to access OpenSearch Serverless from resources within your VPC. To use the endpoint for API operations, configure your SDK to use the Regional FIPS endpoint as described in the Using FIPS endpoints with OpenSearch Serverless section. For OpenSearch Dashboards access, use the collection-specific Dashboards URL, which will automatically route through the FIPS-compliant VPC endpoint when accessed from within your VPC. For more information, see [Using OpenSearch Dashboards with Amazon OpenSearch Service](./dashboards.html).