AWS opensearch-service documentation change
Summary
Added note about policy evaluation differences between HTTP Basic Auth and SigV4 requests
Security assessment
Clarifies security behavior of authentication methods. Important for secure configuration but not vulnerability-specific.
Diff
diff --git a/opensearch-service/latest/developerguide/fgac-http-auth.md b/opensearch-service/latest/developerguide/fgac-http-auth.md index 0c5b41479..4e8c52866 100644 --- a//opensearch-service/latest/developerguide/fgac-http-auth.md +++ b//opensearch-service/latest/developerguide/fgac-http-auth.md @@ -12,0 +13,4 @@ This tutorial covers another popular [fine-grained access control](./fgac.html) +###### Note + +When using HTTP Basic Authentication with a resource-based access policy that specifies an IAM principal, unsigned requests authenticated via HTTP Basic Auth are handled solely by the fine-grained access control internal user database. Signed requests (using SigV4) are evaluated against both the domain access policy and fine-grained access control. If your access policy specifies a principal such as `"AWS": "arn:aws:iam::111122223333:root"`, only SigV4-signed requests from that account will be allowed by the access policy, while HTTP Basic Auth requests bypass the access policy and are controlled entirely by fine-grained access control roles. +