AmazonOpenSearchServiceFullAccess AmazonOpenSearchServiceReadOnlyAccess AmazonOpenSearchServiceRolePolicy AmazonOpenSearchServiceCognitoAccess AmazonOpenSearchIngestionServiceRolePolicy AmazonOpenSearchIngestionFullAccess AmazonOpenSearchIngestionReadOnlyAccess AmazonOpenSearchServerlessServiceRolePolicy Policy updates

Amazon managed policies for Amazon OpenSearch Service

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

AmazonOpenSearchServiceFullAccess

Grants full access to the OpenSearch Service configuration API operations and resources for an Amazon Web Services account.

You can find the AmazonOpenSearchServiceFullAccess policy in the IAM console.

AmazonOpenSearchServiceReadOnlyAccess

Grants read-only access to all OpenSearch Service resources for an Amazon Web Services account.

You can find the AmazonOpenSearchServiceReadOnlyAccess policy in the IAM console.

AmazonOpenSearchServiceRolePolicy

You can't attach AmazonOpenSearchServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Service to access account resources. For more information, see Permissions.

You can find the AmazonOpenSearchServiceRolePolicy policy in the IAM console.

AmazonOpenSearchServiceCognitoAccess

Provides the minimum Amazon Cognito permissions necessary to enable Cognito authentication.

You can find the AmazonOpenSearchServiceCognitoAccess policy in the IAM console.

AmazonOpenSearchIngestionServiceRolePolicy

You can't attach AmazonOpenSearchIngestionServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Ingestion to enable VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account. For more information, see Using service-linked roles for Amazon OpenSearch Service.

You can find the AmazonOpenSearchIngestionServiceRolePolicy policy in the IAM console.

AmazonOpenSearchIngestionFullAccess

Grants full access to the OpenSearch Ingestion API operations and resources for an Amazon Web Services account.

You can find the AmazonOpenSearchIngestionFullAccess policy in the IAM console.

AmazonOpenSearchIngestionReadOnlyAccess

Grants read-only access to all OpenSearch Ingestion resources for an Amazon Web Services account.

You can find the AmazonOpenSearchIngestionReadOnlyAccess policy in the IAM console.

AmazonOpenSearchServerlessServiceRolePolicy

Provides the minimum Amazon CloudWatch permissions necessary to send OpenSearch Serverless metric data to CloudWatch.

You can find the AmazonOpenSearchServerlessServiceRolePolicy policy in the IAM console.

OpenSearch Service updates to Amazon managed policies

View details about updates to Amazon managed policies for OpenSearch Service since this service began tracking changes.

Change	Description	Date
Updated `AmazonOpenSearchServiceRolePolicy` and `AmazonElasticsearchServiceRolePolicy`	Added the permissions necessary for the service-linked role to assign and unassign IPv6 addresses. The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.	18 October 2023
Added `AmazonOpenSearchIngestionServiceRolePolicy`	A new policy that allows OpenSearch Ingestion to enable VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account. For the policy JSON, see the IAM console.	26 April 2023
Added `AmazonOpenSearchIngestionFullAccess`	A new policy that grants full access to the OpenSearch Ingestion API operations and resources for an Amazon Web Services account. For the policy JSON, see the IAM console.	26 April 2023
Added `AmazonOpenSearchIngestionReadOnlyAccess`	A new policy that grants read-only access to all OpenSearch Ingestion resources for an Amazon Web Services account. For the policy JSON, see the IAM console.	26 April 2023
Added `AmazonOpenSearchServerlessServiceRolePolicy`	A new policy that provides the minimum permissions necessary to send OpenSearch Serverless metric data to Amazon CloudWatch. For the policy JSON, see the IAM console.	29 November 2022
Updated `AmazonOpenSearchServiceRolePolicy` and `AmazonElasticsearchServiceRolePolicy`	Added the permissions necessary for the service-linked role to create OpenSearch Service-managed VPC endpoints. Some actions can only be performed when the request contains the tag `OpenSearchManaged=true`. The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.	7 November 2022
Updated `AmazonOpenSearchServiceRolePolicy` and `AmazonElasticsearchServiceRolePolicy`	Added support for the `PutMetricData` action, which is required to publish OpenSearch cluster metrics to Amazon CloudWatch. The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility. For the policy JSON, see the IAM console.	12 September 2022
Updated `AmazonOpenSearchServiceRolePolicy` and `AmazonElasticsearchServiceRolePolicy`	Added support for the `acm` resource type. The policy provides the minimum Amazon Certificate Manager (ACM) read-only permission necessary for the service-linked role to verify and validate ACM resources in order to create and update custom endpoint enabled domains. The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.	28 July 2022
Updated `AmazonOpenSearchServiceCognitoAccess` and `AmazonESCognitoAccess`	Added support for the `UpdateUserPoolClient` action, which is required to set Cognito user pool configuration during upgrade from Elasticsearch to OpenSearch. Corrected permissions for the `SetIdentityPoolRoles` action to allow access to all resources. The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.	20 December 2021
Updated `AmazonOpenSearchServiceRolePolicy`	Added support for the `security-group` resource type. The policy provides the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the service-linked role to enable VPC access.	9 September 2021
Added `AmazonOpenSearchServiceFullAccess` Deprecated `AmazonESFullAccess`	This new policy is meant to replace the old policy. Both policies provide full access to the OpenSearch Service configuration API and all HTTP methods for the OpenSearch APIs. Fine-grained access control and resource-based policies can still restrict access.	7 September 2021
Added `AmazonOpenSearchServiceReadOnlyAccess` Deprecated `AmazonESReadOnlyAccess`	This new policy is meant to replace the old policy. Both policies provide read-only access to the OpenSearch Service configuration API (`es:Describe`, `es:List`, and `es:Get*`) and no access to the HTTP methods for the OpenSearch APIs.	7 September 2021
Added `AmazonOpenSearchServiceCognitoAccess` Deprecated `AmazonESCognitoAccess`	This new policy is meant to replace the old policy. Both policies provide the minimum Amazon Cognito permissions necessary to enable Cognito authentication.	7 September 2021
Added AmazonOpenSearchServiceRolePolicy Deprecated `AmazonElasticsearchServiceRolePolicy`	This new policy is meant to replace the old policy. Both policies provide the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the service-linked role to enable VPC access.	7 September 2021
Started tracking changes	Amazon OpenSearch Service now tracks changes to Amazon-managed policies.	7 September 2021

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

API permissions reference

Cross-service confused deputy prevention