AWS opensearch-service documentation change
Summary
Added IAM policy requirements for Cognito roles
Security assessment
Documents required permissions for secure access control. Prevents permission errors but doesn't fix vulnerabilities.
Diff
diff --git a/opensearch-service/latest/developerguide/fgac-iam.md b/opensearch-service/latest/developerguide/fgac-iam.md index 874d72261..c97c554e1 100644 --- a//opensearch-service/latest/developerguide/fgac-iam.md +++ b//opensearch-service/latest/developerguide/fgac-iam.md @@ -81,0 +82,14 @@ Replace `identity-pool-id` with the unique identifier of your Amazon Cognito ide +Both roles also need an identity-based permissions policy that allows access to the OpenSearch domain. Attach the following policy to both `MasterUserRole` and `LimitedUserRole`: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "es:ESHttp*", + "Resource": "arn:aws:es:us-east-1:111122223333:domain/domain-name/*" + } + ] + } +