Posted On: Jan 6, 2022
Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) now supports enabling fine-grained access control on existing domains. Fine-grained access control adds several capabilities to help you have better access control over the data stored in your domain.
Features include creating and mapping local users, authorizing external identities to predefined security roles, limiting access to confidential data, field masking and many other advanced capabilities including document level security and field level security. Fine grained access control enables different teams to share an Amazon OpenSearch Service domain without being able to see or modify other teams’ data, dashboards, or visualizations, enabling greater efficiency and centralizing management. You can also limit each user to only the permissions needed to perform specific tasks.
Fine-grained access control offers three forms of authentication and authorization: a built-in user database, which makes it easier to configure usernames and passwords within OpenSearch, AWS Identity and Access Management (IAM) integration, which lets you map IAM principals to data permissions, and single sign-on with native SAML (Security Assertion Markup Language) integration.
For more information on configuring and using fine-grained access control, please see this documentation.
Fine-grained access control can now be enabled on all Amazon OpenSearch Service domains with Elasticsearch version 6.7 or higher and OpenSearch version 1.0 or higher across 26 regions globally: US East (N. Virginia), US East (Ohio), US West (Oregon), US West (N. California), AWS GovCloud (US-East), AWS GovCloud (US-West), Canada (Central), South America (Sao Paulo), Africa (Cape Town), Middle East (Bahrain), Europe (Ireland), Europe (London), Europe (Frankfurt), Europe (Paris), Europe (Stockholm), Europe (Milan), Asia Pacific (Jakarta), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Mumbai), Asia Pacific (Hong Kong), and China (Beijing – operated by Sinnet, Ningxia – operated by NWCD). Please refer to the AWS Region Table for more information about Amazon OpenSearch Service availability.