AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2026-05-01 · Documentation medium

File: opensearch-service/latest/developerguide/application-cross-account-data-access-domains.md

Summary

Updated documentation for cross-account data access in OpenSearch UI, adding detailed explanation of cross-account role assumption using Forwarded Access Sessions, clarifying that cross-account role is only used during data source association, and emphasizing requirement for fine-grained access control on target domains. Updated example access policies to restrict access to source account instead of wildcard.

Security assessment

The changes clarify security boundaries and best practices but don't indicate a specific security vulnerability was fixed. The updates emphasize that the cross-account role is only for validation (not data plane access), require fine-grained access control, and show how to properly restrict access policies. These are security improvements to documentation but not evidence of a security incident.

Diff

diff --git a/opensearch-service/latest/developerguide/application-cross-account-data-access-domains.md b/opensearch-service/latest/developerguide/application-cross-account-data-access-domains.md
index 3c48e79ce..b80e45d0c 100644
--- a//opensearch-service/latest/developerguide/application-cross-account-data-access-domains.md
+++ b//opensearch-service/latest/developerguide/application-cross-account-data-access-domains.md
@@ -7 +7 @@
-Key conceptsPrerequisitesScenariosScenario 1: IAM user accessing a public domainScenario 2: IAM Identity Center user accessing a public domainScenario 3: IAM user accessing a VPC domainScenario 4: IAM Identity Center user accessing a VPC domainManaging applicationsQuick referenceImportant notesTroubleshooting
+Key conceptsHow cross-account role assumption worksPrerequisitesScenariosScenario 1: IAM user accessing a public domainScenario 2: IAM Identity Center user accessing a public domainScenario 3: IAM user accessing a VPC domainScenario 4: IAM Identity Center user accessing a VPC domainManaging applicationsQuick referenceImportant notesTroubleshooting
@@ -11 +11 @@ Key conceptsPrerequisitesScenariosScenario 1: IAM user accessing a public domain
-You can configure your OpenSearch UI applications in one account to access OpenSearch domains in different accounts. When you create an OpenSearch UI application with cross-account data sources, you provide an `iamRoleForDataSourceArn` that points to an IAM role in the target account. OpenSearch UI validates the request by assuming this role and calling `es:DescribeDomain` to verify domain accessibility. The cross-account role is used only for control plane validation. Data plane access is controlled separately by the target domain's access policy.
+You can configure your OpenSearch UI applications in one account to access OpenSearch domains in different accounts. When you create an OpenSearch UI application with cross-account data sources, you provide an `iamRoleForDataSourceArn` that points to an IAM role in the target account. OpenSearch UI validates the request by assuming this role and calling `es:DescribeDomain` to verify domain accessibility. The cross-account role is used only during data source association. Data plane access is controlled separately by the target domain's access policy.
@@ -13,3 +13 @@ You can configure your OpenSearch UI applications in one account to access OpenS
-###### Sample code
-
-The code examples in this topic are for illustration purposes only. They demonstrate basic functionality and may not include error handling, security best practices, or production-ready features. Before using sample code in production, review and modify it to meet your specific requirements, and test thoroughly in your environment.
+Cross-account data source support requires fine-grained access control to be enabled on the target domain. Fine-grained access control provides an additional authorization layer beyond the domain access policy, allowing you to control access to individual indices, documents, and fields.
@@ -32 +30 @@ Cross-account role
-An IAM role in the target account that is used for control plane validation only. This role requires only the `es:DescribeDomain` permission.
+An IAM role in the target account that is used during data source association only. OpenSearch UI assumes this role to call `es:DescribeDomain`, which retrieves the domain endpoint and verifies that fine-grained access control is enabled. This is a discovery and validation step, not a security boundary. The cross-account role is never used for data plane access. After association, all data plane requests are authorized by the domain's access policy and backend role mappings, independent of the cross-account role.
@@ -38,0 +37,22 @@ An IAM role in the source account that is used for IAM Identity Center user data
+## How cross-account role assumption works
+
+When you create or update an OpenSearch UI application with a cross-account data source, OpenSearch UI assumes the cross-account role in the target account using Forwarded Access Sessions ([FAS](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html)). FAS propagates the calling principal's own IAM identity to the `sts:AssumeRole` call. This means:
+
+  * The target account's trust policy controls which source account principals can assume the cross-account role.
+
+  * The assumed role session carries the identity of the caller who initiated the `CreateApplication` or `UpdateApplication` request.
+
+  * The cross-account role is assumed only during association to call `es:DescribeDomain`. It is not used for any subsequent data plane operations.
+
+
+
+
+For data plane access:
+
+  * IAM users sign requests with their own IAM credentials. The target domain's access policy authorizes these requests directly.
+
+  * IAM Identity Center users have their requests signed with the IAM Identity Center application role (`iamRoleForIdentityCenterApplicationArn`) in the source account. The target domain's access policy and backend role mappings authorize these requests.
+
+
+
+
@@ -46,0 +67,2 @@ Before you set up cross-account data access, ensure that you have the following:
+  * OpenSearch domains with [fine-grained access control](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html) enabled. Cross-account data source association is not supported for domains without fine-grained access control.
+
@@ -129 +151 @@ Create an OpenSearch domain in the target account with fine-grained access contr
-      --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:ESHttp*","Resource":"arn:aws:es:region:target-account-id:domain/domain-name/*"}]}' \
+      --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::source-account-id:root"},"Action":"es:ESHttp*","Resource":"arn:aws:es:region:target-account-id:domain/domain-name/*"}]}' \
@@ -131,0 +154,4 @@ Create an OpenSearch domain in the target account with fine-grained access contr
+###### Note
+
+This access policy scopes data plane access to IAM principals from the source account. For more restrictive access, replace the account root principal with specific IAM user or role ARNs. Fine-grained access control provides an additional authorization layer for controlling access to indices and documents.
+
@@ -479 +505 @@ Learn more about [VPC domain creation](https://docs.aws.amazon.com/opensearch-se
-      --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:ESHttp*","Resource":"arn:aws:es:region:target-account-id:domain/vpc-domain-name/*"}]}' \
+      --access-policies '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::source-account-id:root"},"Action":"es:ESHttp*","Resource":"arn:aws:es:region:target-account-id:domain/vpc-domain-name/*"}]}' \
@@ -481,0 +508,4 @@ Learn more about [VPC domain creation](https://docs.aws.amazon.com/opensearch-se
+###### Note
+
+This access policy scopes data plane access to IAM principals from the source account. For more restrictive access, replace the account root principal with specific IAM user or role ARNs. Fine-grained access control provides an additional authorization layer for controlling access to indices and documents.
+
@@ -906,0 +937,2 @@ OpenSearch UI application configuration | No IAM Identity Center options | `--ia
+  * Cross-account data source association requires fine-grained access control to be enabled on the target domain.
+
@@ -928 +960 @@ Cross-Region and cross-account data access
-Cross-cluster search
+Cross-Region Data Access to OpenSearch Domains