AWS opensearch-service high security documentation change
Summary
Added warning about open access policies on VPC domains accepting unsigned HTTP requests
Security assessment
The change highlights a security risk where VPC domains with open access policies permit unsigned requests, potentially enabling unauthorized access if security groups are misconfigured. This documents a security implication of configuration choices.
Diff
diff --git a/opensearch-service/latest/developerguide/ac.md b/opensearch-service/latest/developerguide/ac.md index 0cbbd666e..e0805c1ca 100644 --- a//opensearch-service/latest/developerguide/ac.md +++ b//opensearch-service/latest/developerguide/ac.md @@ -312,0 +313,2 @@ If you enabled VPC access for your domain, you can't configure an IP-based polic +If you use an open access policy on a VPC domain without specifying an AWS principal, the domain accepts unsigned HTTP requests from any traffic that the security group permits. For more information, see [About access policies on VPC domains](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/vpc.html#vpc-security). +