AWS opensearch-service documentation change
Summary
Simplified IAM permissions by removing condition blocks requiring 'aws:CalledVia' constraints for OpenSearch Service direct query operations.
Security assessment
The change removes IAM condition blocks that enforced service-specific access restrictions. While this broadens permissions, there's no evidence of a security vulnerability being addressed. The modification appears to simplify policy configuration rather than fix a security flaw.
Diff
diff --git a/opensearch-service/latest/developerguide/direct-query-prometheus-creating.md b/opensearch-service/latest/developerguide/direct-query-prometheus-creating.md index 657c4a98f..b4dab5e82 100644 --- a//opensearch-service/latest/developerguide/direct-query-prometheus-creating.md +++ b//opensearch-service/latest/developerguide/direct-query-prometheus-creating.md @@ -144,8 +144 @@ Attach the following permissions to your IAM role to allow OpenSearch Service to - "Resource": "arn:aws:aps:region:account-id:workspace/workspace-id", - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": [ - "directquery.opensearchservice.amazonaws.com" - ] - } - } + "Resource": "arn:aws:aps:region:account-id:workspace/workspace-id" @@ -159,8 +152 @@ Attach the following permissions to your IAM role to allow OpenSearch Service to - "Resource": "*", - "Condition": { - "ForAnyValue:StringEquals": { - "aws:CalledVia": [ - "directquery.opensearchservice.amazonaws.com" - ] - } - } + "Resource": "*"