AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2026-01-16 · Documentation medium

File: opensearch-service/latest/developerguide/serverless-encryption.md

Summary

Added documentation about KMS key specification precedence and maintenance operations. Clarified KMSKeyInaccessibleException conditions.

Security assessment

The change documents encryption key management behaviors and error conditions, enhancing security feature documentation. No evidence of addressing specific vulnerabilities, but improves understanding of encryption operations.

Diff

diff --git a/opensearch-service/latest/developerguide/serverless-encryption.md b/opensearch-service/latest/developerguide/serverless-encryption.md
index 5771709eb..96579278c 100644
--- a//opensearch-service/latest/developerguide/serverless-encryption.md
+++ b//opensearch-service/latest/developerguide/serverless-encryption.md
@@ -43,0 +44,2 @@ When you create an encryption policy, you can either specify a _prefix_ , which
+When creating a collection, you can specify an AWS KMS key in two ways: through security policies or directly in the `CreateCollection` request. If you provide a AWS KMS key as part of the `CreateCollection` request, it takes precedence over any matching security policies. With this approach, you have the flexibility to override policy-based encryption settings for specific collections when needed.
+
@@ -165,0 +168,4 @@ If you select a [customer managed key](https://docs.aws.amazon.com/kms/latest/de
+OpenSearch Serverless makes `GenerateDataKey` and `Decrypt` KMS API calls during maintenance operations such as autoscaling and software updates. You might observe these calls outside your typical traffic patterns. These calls are part of normal service operations and don't indicate active user traffic. 
+
+OpenSearch Serverless throws a `KMSKeyInaccessibleException` when it cannot access the KMS key that encrypts your data at rest. This occurs when you disable or delete the KMS key, or revoke the grants that allow OpenSearch Serverless to use the key.
+