AWS opensearch-service medium security documentation change
Summary
Added 'Access Setup' section detailing fine-grained access control requirements for query insights
Security assessment
Explicitly addresses security misconfigurations (403 errors) by documenting required permissions and role mappings for accessing sensitive query data. Highlights risks of improper access control and references security best practices.
Diff
diff --git a/opensearch-service/latest/developerguide/cluster-insights.md b/opensearch-service/latest/developerguide/cluster-insights.md index b296c4bc0..5e0156c61 100644 --- a//opensearch-service/latest/developerguide/cluster-insights.md +++ b//opensearch-service/latest/developerguide/cluster-insights.md @@ -188,0 +189,15 @@ The **Query View** page helps you monitor resource-intensive queries with: +#### Access Setup + +Viewing Top N queries requires fine-grained access control permissions. Ensure the following: + + * Fine-grained access control is enabled on your domain. + + * Your IAM role (or internal user) is mapped to an OpenSearch role with the required cluster permissions for query insights. + + * For full admin access, map your IAM role ARN as a backend role to both the all_access and security_manager roles. You can do this in OpenSearch Dashboards under Security > Roles > select the role > Mapped users > Manage mapping, or by using the [Security API](https://opensearch.org/docs/latest/security/access-control/api/) (PUT _plugins/_security/api/rolesmapping/all_access). + + + + +Without proper role mappings, users may receive 403 Forbidden errors when attempting to access query insights data. For details, see [Fine-grained access control](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html). +