AWS Security ChangesHomeSearch

AWS opensearch-service documentation change

Service: opensearch-service · 2026-07-07 · Documentation low

File: opensearch-service/latest/developerguide/fgac-iam.md

Summary

Added IAM policy requirements for Cognito roles

Security assessment

Documents required permissions for secure access control. Prevents permission errors but doesn't fix vulnerabilities.

Diff

diff --git a/opensearch-service/latest/developerguide/fgac-iam.md b/opensearch-service/latest/developerguide/fgac-iam.md
index 874d72261..c97c554e1 100644
--- a//opensearch-service/latest/developerguide/fgac-iam.md
+++ b//opensearch-service/latest/developerguide/fgac-iam.md
@@ -81,0 +82,14 @@ Replace `identity-pool-id` with the unique identifier of your Amazon Cognito ide
+Both roles also need an identity-based permissions policy that allows access to the OpenSearch domain. Attach the following policy to both `MasterUserRole` and `LimitedUserRole`:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "es:ESHttp*",
+          "Resource": "arn:aws:es:us-east-1:111122223333:domain/domain-name/*"
+        }
+      ]
+    }
+