Posted On: Jun 21, 2022

Amazon OpenSearch Service now supports tag-based authorization for HTTP methods, making it easier for you to manage access control for data read and write operations. You can use Identity policies in Amazon Identity and Access Management (IAM) to define permissions for read and write HTTP methods, allowing coarse-grained access control of data on your Amazon OpenSearch Service domains.

Amazon OpenSearch Service currently supports tag-based authorization for configuration APIs, enabling you to use resource tags, request tags or tag keys to allow or deny specific operations such as creating, modifying, or updating Amazon OpenSearch Service domains. With this release, you can also create an Identity Policy in IAM using resource tags that allows or denies access to specific HTTP methods. Please see documentation for more details.

Tag-based Identity policies for read and write operations only apply to HTTP methods. For more granular access control to specific data sets, including limiting access to documents or fields based on a filter criteria consider using fine-grained access control.

Tag-based authorization for read and write HTTP methods using IAM Identity policies is available for Amazon OpenSearch Service domains with any version of Elasticsearch or OpenSearch in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD.