AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2026-05-19 · Documentation low

File: solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md

Summary

Updated security documentation to reflect migration from ECS to EKS architecture, added details on IRSA roles, expanded secrets management guidance, and introduced new section on fine-grained access control configuration.

Security assessment

Changes document security features like IRSA role implementation, Kubernetes secrets management, and FGAC configuration without referencing any specific vulnerability fix. The updates enhance security documentation but don't address a disclosed security incident.

Diff

diff --git a/solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md b/solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md
index 4bf2e8378..17962417e 100644
--- a//solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md
+++ b//solutions/latest/migration-assistant-for-amazon-opensearch-service/security-1.md
@@ -7 +7 @@
-IAM rolesSecurity groupsAWS Secrets Manager
+IAM rolesSecurity groupsAWS Secrets ManagerFine-grained access control
@@ -15 +15 @@ When you build systems on AWS infrastructure, security responsibilities are shar
-AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. This includes allowing some required Migration ECS services to produce/consume from MSK, make requests to the target cluster, and access provided secrets stored within AWS Secrets Manager needed for target cluster authentication and authorization.
+AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This solution aims to create IAM roles with least privilege where resource access is required. The Amazon EKS deployment uses [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to associate IAM roles with the Kubernetes service accounts used by the Migration Console pod (`migration-console-access-role`) and the Argo workflow executor pods (`argo-workflow-executor`). This means the Migration Console and the migration jobs can authenticate to Amazon OpenSearch Service, Amazon OpenSearch Serverless, Amazon S3, AWS Secrets Manager, and other AWS services without long-lived credentials.
@@ -19 +19 @@ AWS Identity and Access Management (IAM) roles allow customers to assign granula
-The solution creates security groups designed to control and isolate network traffic between Migration ECS containers, as well as between certain Migration ECS containers and associated services such as Amazon MSK, Amazon OpenSearch Service, and Amazon EFS. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running.
+The solution creates security groups designed to control and isolate network traffic between Migration Assistant pods on Amazon EKS, as well as between certain Migration Assistant pods and associated services such as Amazon S3 (via VPC endpoints), Amazon OpenSearch Service, Amazon OpenSearch Serverless, and Amazon EFS. We recommend that you review the security groups and further restrict access as needed once the deployment is up and running. For source and target clusters, the source and target security groups must allow inbound traffic from the Amazon EKS cluster security group.
@@ -23 +23,5 @@ The solution creates security groups designed to control and isolate network tra
-Migration Assistant for Amazon OpenSearch Service allows accessing stored secrets from AWS Secrets Manager in the Migration Management Console, Traffic Replayer, and Reindex-from-Snapshot containers. Accessing these secrets allows for proper authentication when migrating data from source to target, and for observing migration status.
+Migration Assistant for Amazon OpenSearch Service allows accessing stored secrets from AWS Secrets Manager from the Migration Console pod, the Argo workflow executor pods, and the Reindex-from-Snapshot, Capture Proxy, and Traffic Replayer workloads. Accessing these secrets allows for proper authentication when migrating data from source to target on Amazon OpenSearch Service or Amazon OpenSearch Serverless, and for observing migration status. Use `kubectl create secret generic` to create Kubernetes secrets in the `ma` namespace and reference them in `authConfig.basic.secretName` in your workflow configuration.
+
+## Fine-grained access control
+
+If your Amazon OpenSearch Service domain has fine-grained access control (FGAC) enabled, the Migration Assistant IAM role must be mapped to a security role on the domain (typically `all_access` during migration, then scoped down). Authentication gets you to the domain; FGAC authorizes what you can do once you are in. Both must be in place. The role mapping API path differs by engine: Elasticsearch 7.x uses `/_opendistro/_security/api/rolesmapping/role`, and OpenSearch 1.x and later uses `/_plugins/_security/api/rolesmapping/role`. See [Troubleshooting](./troubleshooting.html) for details.