Posted On: Jun 16, 2022

Amazon OpenSearch Service now supports tag-based authorization for HTTP methods, making it easier for you to manage access control for data read and write operations. You can use Identity policies in AWS Identity and Access Management (IAM) to define permissions for read and write HTTP methods, allowing coarse-grained access control of data on your Amazon OpenSearch Service domains.

Amazon OpenSearch Service currently supports tag-based authorization for configuration APIs, enabling you to use resource tags, request tags or tag keys to allow or deny specific operations such as creating, modifying, or updating Amazon OpenSearch Service domains. With this release, you can also create an Identity Policy in IAM using resource tags that allows or denies access to specific HTTP methods. Please see documentation for more details.

Tag-based Identity policies for read and write operations only apply to HTTP methods. For more granular access control to specific data sets, including limiting access to documents or fields based on a filter criteria consider fine-grained access control.

Tag-based authorization for read and write HTTP methods using IAM Identity policies is available for Amazon OpenSearch Service domains across 26 regions globally: US East (Ohio), US East (N. Virginia), US West (N. California), US West (Oregon), Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Asia Pacific (Mumbai), Asia Pacific (Osaka), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), China (Beijing – operated by Sinnet, Ningxia – operated by NWCD), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Milan), Europe (Paris), Europe (Stockholm), Middle East (Bahrain), South America (Sao Paulo), and AWS GovCloud (US). Please refer to the AWS Region Table for more information about Amazon OpenSearch Service availability.