AWS opensearch-service documentation change
Summary
Added instructions for customizing encryption settings during collection creation and updated OCU sharing constraints
Security assessment
The change documents encryption customization capabilities (security feature) but doesn't address a specific vulnerability. The OCU update clarifies operational constraints without security implications.
Diff
diff --git a/opensearch-service/latest/developerguide/serverless-encryption.md b/opensearch-service/latest/developerguide/serverless-encryption.md index c321e7e71..288f28e8f 100644 --- a//opensearch-service/latest/developerguide/serverless-encryption.md +++ b//opensearch-service/latest/developerguide/serverless-encryption.md @@ -83,0 +84,8 @@ Even if a policy matches a collection name, you can choose to override this auto +To override the automatic encryption policy assignment during collection creation using the console, choose **Customize encryption settings** when creating a collection and select your preferred AWS KMS key. Using the AWS CLI, include the `--encryption-policy-name` parameter in the `CreateCollection` request, or specify the `kmsKeyArn` directly: + + + aws opensearchserverless create-collection \ + --name my-collection \ + --type SEARCH \ + --encryption-policy-name my-encryption-policy + @@ -102 +110 @@ Consider the following when you configure encryption for your collections: - * Collections with unique KMS keys can't share OpenSearch Compute Units (OCUs) with other collections. Each collection with a unique key requires its own 4 OCUs. + * Collections with unique KMS keys can't share OpenSearch Compute Units (OCUs) with other collections unless they are part of the same collection group. Each collection with a unique key that is not in a collection group requires its own OCUs. For more information, see [Collection groups](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-collection-groups.html).