Posted On: Jan 6, 2022

Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) now supports enabling fine-grained access control on existing domains. Fine-grained access control adds several capabilities to help you have better access control over the data stored in your domain.

Features include creating and mapping local users, authorizing external identities to predefined security roles, limiting access to confidential data, field masking and many other advanced capabilities including document level security and field level security. Fine-grained access control enables different teams to share an Amazon OpenSearch Service domain without being able to see or modify other teams’ data, dashboards, or visualizations, enabling greater efficiency and centralizing management. You can also limit each user to only the permissions needed to perform specific tasks.

Fine-grained access control offers three forms of authentication and authorization: a built-in user database, which makes it easier to configure usernames and passwords within OpenSearch, Amazon Identity and Access Management (IAM) integration, which lets you map IAM principals to data permissions, and single sign-on with native SAML (Security Assertion Markup Language) integration.

For more information on configuring and using fine-grained access control, please see this documentation.

Fine-grained access control can now be enabled on all Amazon OpenSearch Service domains with Elasticsearch version 6.7 or higher and OpenSearch version 1.0 or higher in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD.