AWS opensearch-service documentation change
Summary
Added documentation for 'aws:SecureTransport' condition key in resource-based policies to enforce HTTPS connections.
Security assessment
The change explicitly documents a security feature (enforcing encrypted transport) using a global condition key. While it enhances security guidance by showing how to require HTTPS, there's no evidence it addresses a specific vulnerability or incident.
Diff
diff --git a/opensearch-service/latest/developerguide/ac.md b/opensearch-service/latest/developerguide/ac.md index 2a416429a..0cbbd666e 100644 --- a//opensearch-service/latest/developerguide/ac.md +++ b//opensearch-service/latest/developerguide/ac.md @@ -460 +460,6 @@ To learn more about pairing actions and resources, see the `Resource` element in -As noted in Identity-based policies, the `aws:ResourceTag`, `aws:RequestTag`, and `aws:TagKeys` condition keys apply to the configuration API as well as the OpenSearch APIs. +As noted in Identity-based policies, the `aws:ResourceTag`, `aws:RequestTag`, and `aws:TagKeys` condition keys apply to the configuration API as well as the OpenSearch APIs. Amazon OpenSearch Service also supports the `aws:SecureTransport` global condition key in resource-based access policies. You can use `aws:SecureTransport` to require that requests to your domain be made over HTTPS. For example: + + + "Condition": { "Bool": { "aws:SecureTransport": "true" } } + +For more information about condition keys, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the _IAM User Guide_.