AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2026-07-07 · Documentation low

File: opensearch-service/latest/developerguide/fgac-http-auth.md

Summary

Added note about policy evaluation differences between HTTP Basic Auth and SigV4 requests

Security assessment

Clarifies security behavior of authentication methods. Important for secure configuration but not vulnerability-specific.

Diff

diff --git a/opensearch-service/latest/developerguide/fgac-http-auth.md b/opensearch-service/latest/developerguide/fgac-http-auth.md
index 0c5b41479..4e8c52866 100644
--- a//opensearch-service/latest/developerguide/fgac-http-auth.md
+++ b//opensearch-service/latest/developerguide/fgac-http-auth.md
@@ -12,0 +13,4 @@ This tutorial covers another popular [fine-grained access control](./fgac.html)
+###### Note
+
+When using HTTP Basic Authentication with a resource-based access policy that specifies an IAM principal, unsigned requests authenticated via HTTP Basic Auth are handled solely by the fine-grained access control internal user database. Signed requests (using SigV4) are evaluated against both the domain access policy and fine-grained access control. If your access policy specifies a principal such as `"AWS": "arn:aws:iam::111122223333:root"`, only SigV4-signed requests from that account will be allowed by the access policy, while HTTP Basic Auth requests bypass the access policy and are controlled entirely by fine-grained access control roles.
+