1 Answer
- Newest
- Most votes
- Most comments
0
Fine-grained access control offers additional ways of controlling access to your data on Amazon OpenSearch Service. For example, depending on who makes the request, you might want a search to return results from only one index. You might want to hide certain fields in your documents or exclude certain documents altogether.
- Fine-grained access control offers the following benefits:
- Role-based access control
- Security at the index, document, and field level
- OpenSearch Dashboards multi-tenancy
- HTTP basic authentication for OpenSearch and OpenSearch Dashboards
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html
After you enable FGAC, you also need authentication in addition to networking connectivity (security group is open, as you said)
Here is an example of OpenSearch Access Policy, that allows access from IP range 192.0.2.0/24 for all AWS principals
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"es:ESHttp*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.0.2.0/24"
]
}
},
"Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/*"
}
]
}
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
please accept the answer if it was useful