AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2025-11-22 · Documentation medium

File: opensearch-service/latest/developerguide/serverless-vpc.md

Summary

Added comprehensive documentation on using AWS PrivateLink/VPC endpoints for secure access to OpenSearch Serverless, including setup procedures and policy examples

Security assessment

The change adds significant documentation about network security features (PrivateLink/VPC endpoints) but doesn't address a specific vulnerability. It enhances security documentation by explaining how to implement private network access, which reduces exposure to internet-based attacks.

Diff

diff --git a/opensearch-service/latest/developerguide/serverless-vpc.md b/opensearch-service/latest/developerguide/serverless-vpc.md
index 513ed0df7..f79a7055b 100644
--- a//opensearch-service/latest/developerguide/serverless-vpc.md
+++ b//opensearch-service/latest/developerguide/serverless-vpc.md
@@ -5 +5 @@
-DNS resolution of collection endpointsVPCs and network access policiesVPCs and endpoint policiesConsiderationsPermissions requiredCreate an interface endpointShared VPC setup for Amazon OpenSearch Serverless
+Creating Collection/Policies using PrivateLinkDNS resolution of collection endpointsVPCs and network access policiesVPCs and endpoint policiesConsiderationsPermissions requiredCreate an interface endpointShared VPC setup for Amazon OpenSearch Serverless
@@ -16,0 +17,2 @@ For more information, see [Access AWS services through AWS PrivateLink](https://
+  * Creating Collection/Policies using PrivateLink
+
@@ -33,0 +36,101 @@ For more information, see [Access AWS services through AWS PrivateLink](https://
+## Creating Collection/Policies using PrivateLink
+
+You can improve the security posture of your VPC by configuring OpenSearch Serverless to use an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink. This technology enables you to privately access OpenSearch Serverless APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
+
+For more information about AWS PrivateLink and VPC endpoints, see [VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-vpc-endpoints) in the Amazon VPC User Guide.
+
+### Considerations
+
+  * VPC endpoints are supported within the same Region only.
+
+  * VPC endpoints only support Amazon-provided DNS through Amazon Route 53.
+
+  * VPC endpoints support endpoint policies to control access to OpenSearch Serverless Collections, Policies and VpcEndpoints.
+
+  * OpenSearch Serverless supports interface endpoints only. Gateway endpoints are not supported.
+
+
+
+
+### Creating the VPC endpoint for OpenSearch Serverless
+
+To create the VPC endpoint for Amazon OpenSearch Serverless, use the [Access an AWS service using an interface VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint) procedure in the __. Create the following endpoint:
+
+  * `com.amazonaws.region.aoss`
+
+
+
+
+To create a VPC endpoint using the console
+
+  * Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
+
+  * In the navigation pane, choose Endpoints.
+
+  * Choose Create Endpoint.
+
+  * For Service category, choose AWS services.
+
+  * For Services, choose `com.amazonaws.<region>.aoss`. Example: `com.amazonaws.us-east-1.aoss`
+
+  * For VPC, choose the VPC in which to create the endpoint.
+
+  * For Subnets, choose the subnets (Availability Zones) in which to create the endpoint network interfaces.
+
+  * For Security groups, choose the security groups to associate with the endpoint network interfaces. Ensure HTTPS (port 443) is allowed.
+
+  * For Policy, choose Full access to allow all operations, or choose Custom to attach a custom policy.
+
+  * Choose Create endpoint.
+
+
+
+
+### Creating an endpoint policy for your VPC endpoint
+
+You can attach an endpoint policy to your VPC endpoint that controls access to Amazon OpenSearch Serverless. The policy specifies the following information:
+
+  * The principal that can perform actions.
+
+  * The actions that can be performed.
+
+  * The resources on which actions can be performed.
+
+
+
+
+For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) in the _Amazon VPC User Guide_.
+
+Example: VPC endpoint policy for OpenSearch Serverless
+    
+    
+    {  
+      "Version": "2012-10-17",		 	 	   
+      "Statement": [  
+        {  
+          "Effect": "Allow",  
+          "Principal": "*",  
+          "Action": [  
+            "aoss:ListCollections",  
+            "aoss:BatchGetCollection"  
+          ],  
+          "Resource": "*"  
+        }  
+      ]  
+    }
+
+Example: Restrictive policy allowing only list operations
+    
+    
+    {  
+      "Version": "2012-10-17",		 	 	   
+      "Statement": [  
+        {  
+          "Effect": "Allow",  
+          "Principal": "*",  
+          "Action": "aoss:ListCollections",  
+          "Resource": "*"  
+        }  
+      ]  
+    }
+