How to use Fine-grained access control in Amazon OpenSearch Service

Eray ALTILI
5 min readSep 27, 2023

How to use Fine-grained access control in Amazon OpenSearch Service

In this blog post, I will show you how to use Fine-grained access control in Amazon OpenSearch Service, which is a fully managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Fine-grained access control enables you to control who can access your data and how they can access it at the cluster, index, document, and field levels. You can also use Fine-grained access control to enable single sign-on (SSO) for OpenSearch Dashboards, which is a visualization tool for analyzing your search results.

diagram illustrates a common configuration: a VPC access domain with fine-grained access control enabled, an IAM-based access policy, and an IAM master user.

Prerequisites

To follow this tutorial, you need the following:

  • An AWS account with permissions to create and manage OpenSearch Service domains.
  • A domain running OpenSearch version 2.x or later with Fine-grained access control enabled.
  • A dataset that you want to index and search using OpenSearch.
diagram illustrates another common configuration: a public access domain with fine-grained access control enabled, an access policy that doesn’t use IAM principals, and a master user in the internal user database.

Step 1: Create users and roles for Fine-grained access control

The first step is to create users and roles for Fine-grained access control using the internal user database and the security plugin. Users are the identities that you use to log in to OpenSearch Dashboards or access the OpenSearch REST API. Roles are the collections of permissions that you assign to users or backend roles. Permissions define the actions that users can perform on your domain resources, such as indexes, documents, or fields.

To create users and roles for Fine-grained access control, follow these steps:

  1. Go to the OpenSearch Service console, select your domain, and click on Open OpenSearch Dashboards.
  2. Log in as the master user that you created when you enabled Fine-grained access control for your domain.
  3. On the left menu, go to Security and then Internal users from the secondary menu. Click on the Create…

--

--

Eray ALTILI

I am passionate about Technology, Cloud Computing, Machine Learning, Blockchain and Finance. All opinions are my own and do not express opinions of my employer.