Amazon managed policies for Amazon OpenSearch Service - Amazon OpenSearch Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon OpenSearch Service

An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.

For more information, see Amazon managed policies in the IAM User Guide.

AmazonOpenSearchDirectQueryGlueCreateAccess

Grants Amazon OpenSearch Service Direct Query Service access to the CreateDatabase, CreatePartition,CreateTable, and BatchCreatePartition Amazon Glue API.

You can find the AmazonOpenSearchDirectQueryGlueCreateAccess policy in the IAM console.

AmazonOpenSearchServiceFullAccess

Grants full access to the OpenSearch Service configuration API operations and resources for an Amazon Web Services account.

You can find the AmazonOpenSearchServiceFullAccess policy in the IAM console.

AmazonOpenSearchServiceReadOnlyAccess

Grants read-only access to all OpenSearch Service resources for an Amazon Web Services account.

You can find the AmazonOpenSearchServiceReadOnlyAccess policy in the IAM console.

AmazonOpenSearchServiceRolePolicy

You can't attach AmazonOpenSearchServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Service to access account resources. For more information, see Permissions.

You can find the AmazonOpenSearchServiceRolePolicy policy in the IAM console.

AmazonOpenSearchServiceCognitoAccess

Provides the minimum Amazon Cognito permissions necessary to enable Cognito authentication.

You can find the AmazonOpenSearchServiceCognitoAccess policy in the IAM console.

AmazonOpenSearchIngestionServiceRolePolicy

You can't attach AmazonOpenSearchIngestionServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Ingestion to enable VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account. For more information, see Using service-linked roles for Amazon OpenSearch Service.

You can find the AmazonOpenSearchIngestionServiceRolePolicy policy in the IAM console.

AmazonOpenSearchIngestionFullAccess

Grants full access to the OpenSearch Ingestion API operations and resources for an Amazon Web Services account.

You can find the AmazonOpenSearchIngestionFullAccess policy in the IAM console.

AmazonOpenSearchIngestionReadOnlyAccess

Grants read-only access to all OpenSearch Ingestion resources for an Amazon Web Services account.

You can find the AmazonOpenSearchIngestionReadOnlyAccess policy in the IAM console.

AmazonOpenSearchServerlessServiceRolePolicy

Provides the minimum Amazon CloudWatch permissions necessary to send OpenSearch Serverless metric data to CloudWatch.

You can find the AmazonOpenSearchServerlessServiceRolePolicy policy in the IAM console.

OpenSearch Service updates to Amazon managed policies

View details about updates to Amazon managed policies for OpenSearch Service since this service began tracking changes.

Change Description Date

AddedAmazonOpenSearchDirectQueryGlueCreateAccess

Grants Amazon OpenSearch Service Direct Query Service access to the CreateDatabase, CreatePartition,CreateTable, and BatchCreatePartition Amazon Glue API.

6 May 2024

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added the permissions necessary for the service-linked role to assign and unassign IPv6 addresses.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

18 October 2023

Added AmazonOpenSearchIngestionServiceRolePolicy

A new policy that allows OpenSearch Ingestion to enable VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account.

For the policy JSON, see the IAM console.

26 April 2023

Added AmazonOpenSearchIngestionFullAccess

A new policy that grants full access to the OpenSearch Ingestion API operations and resources for an Amazon Web Services account.

For the policy JSON, see the IAM console.

26 April 2023

Added AmazonOpenSearchIngestionReadOnlyAccess

A new policy that grants read-only access to all OpenSearch Ingestion resources for an Amazon Web Services account.

For the policy JSON, see the IAM console.

26 April 2023

Added AmazonOpenSearchServerlessServiceRolePolicy

A new policy that provides the minimum permissions necessary to send OpenSearch Serverless metric data to Amazon CloudWatch.

For the policy JSON, see the IAM console.

29 November 2022

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added the permissions necessary for the service-linked role to create OpenSearch Service-managed VPC endpoints. Some actions can only be performed when the request contains the tag OpenSearchManaged=true.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

7 November 2022

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added support for the PutMetricData action, which is required to publish OpenSearch cluster metrics to Amazon CloudWatch.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

For the policy JSON, see the IAM console.

12 September 2022

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added support for the acm resource type. The policy provides the minimum Amazon Certificate Manager (ACM) read-only permission necessary for the service-linked role to verify and validate ACM resources in order to create and update custom endpoint enabled domains.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

28 July 2022

Updated AmazonOpenSearchServiceCognitoAccess and AmazonESCognitoAccess

Added support for the UpdateUserPoolClient action, which is required to set Cognito user pool configuration during upgrade from Elasticsearch to OpenSearch.

Corrected permissions for the SetIdentityPoolRoles action to allow access to all resources.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

20 December 2021

Updated AmazonOpenSearchServiceRolePolicy

Added support for the security-group resource type. The policy provides the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the service-linked role to enable VPC access.

9 September 2021

  • Added AmazonOpenSearchServiceFullAccess

  • Deprecated AmazonESFullAccess

This new policy is meant to replace the old policy. Both policies provide full access to the OpenSearch Service configuration API and all HTTP methods for the OpenSearch APIs. Fine-grained access control and resource-based policies can still restrict access.

7 September 2021

  • Added AmazonOpenSearchServiceReadOnlyAccess

  • Deprecated AmazonESReadOnlyAccess

This new policy is meant to replace the old policy. Both policies provide read-only access to the OpenSearch Service configuration API (es:Describe*, es:List*, and es:Get*) and no access to the HTTP methods for the OpenSearch APIs.

7 September 2021

  • Added AmazonOpenSearchServiceCognitoAccess

  • Deprecated AmazonESCognitoAccess

This new policy is meant to replace the old policy. Both policies provide the minimum Amazon Cognito permissions necessary to enable Cognito authentication.

7 September 2021

This new policy is meant to replace the old policy. Both policies provide the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the service-linked role to enable VPC access.

7 September 2021

Started tracking changes

Amazon OpenSearch Service now tracks changes to Amazon-managed policies.

7 September 2021