AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2026-06-07 · Documentation low

File: opensearch-service/latest/developerguide/direct-query-prometheus-creating.md

Summary

Simplified IAM permissions by removing condition blocks requiring 'aws:CalledVia' constraints for OpenSearch Service direct query operations.

Security assessment

The change removes IAM condition blocks that enforced service-specific access restrictions. While this broadens permissions, there's no evidence of a security vulnerability being addressed. The modification appears to simplify policy configuration rather than fix a security flaw.

Diff

diff --git a/opensearch-service/latest/developerguide/direct-query-prometheus-creating.md b/opensearch-service/latest/developerguide/direct-query-prometheus-creating.md
index 657c4a98f..b4dab5e82 100644
--- a//opensearch-service/latest/developerguide/direct-query-prometheus-creating.md
+++ b//opensearch-service/latest/developerguide/direct-query-prometheus-creating.md
@@ -144,8 +144 @@ Attach the following permissions to your IAM role to allow OpenSearch Service to
-                "Resource": "arn:aws:aps:region:account-id:workspace/workspace-id",
-                "Condition": {
-                    "ForAnyValue:StringEquals": {
-                        "aws:CalledVia": [
-                            "directquery.opensearchservice.amazonaws.com"
-                        ]
-                    }
-                }
+                "Resource": "arn:aws:aps:region:account-id:workspace/workspace-id"
@@ -159,8 +152 @@ Attach the following permissions to your IAM role to allow OpenSearch Service to
-                "Resource": "*",
-                "Condition": {
-                    "ForAnyValue:StringEquals": {
-                        "aws:CalledVia": [
-                            "directquery.opensearchservice.amazonaws.com"
-                        ]
-                    }
-                }
+                "Resource": "*"