Network access for Amazon OpenSearch Serverless
The network settings for an Amazon OpenSearch Serverless collection determine whether the collection is accessible over the internet from public networks, or whether it must be accessed privately.
Private access can apply to one or both of the following:
-
OpenSearch Serverless-managed VPC endpoints
-
Supported Amazon Web Services such as Amazon Bedrock
You can configure network access separately for a collection's OpenSearch endpoint and its corresponding OpenSearch Dashboards endpoint.
Network access is the isolation mechanism for allowing access from different source networks. For example, if a collection's OpenSearch Dashboards endpoint is publicly accessible but the OpenSearch API endpoint isn't, a user can access the collection data only through Dashboards when connecting from a public network. If they try to call the OpenSearch APIs directly from a public network, they'll be blocked. Network settings can be used for such permutations of source to resource type. Amazon OpenSearch Serverless supports both IPv4 and IPv6 connectivity.
Topics
Network policies
Network policies let you manage many collections at scale by automatically assigning network access settings to collections that match the rules defined in the policy.
In a network policy, you specify a series of rules. These rule define
access permissions to collection endpoints and OpenSearch Dashboards endpoints. Each rule
consists of an access type (public or private) and a resource type (collection and/or
OpenSearch Dashboards endpoint). For each resource type (collection and
dashboard), you specify a series of rules that define which collection(s)
the policy will apply to.
In this sample policy, the first rule specifies VPC endpoint access to both the collection
endpoint and the Dashboards endpoint for all collections beginning with the term
marketing*. It also specifies Amazon Bedrock access.
Note
Private access to Amazon Web Services such as Amazon Bedrock only applies to the
collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if the
ResourceType is dashboard, Amazon Web Services cannot be
granted access to OpenSearch Dashboards.
The second rule specifies public access to the finance collection, but only
for the collection endpoint (no Dashboards access).
[ { "Description":"Marketing access", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/marketing*" ] }, { "ResourceType":"dashboard", "Resource":[ "collection/marketing*" ] } ], "AllowFromPublic":false, "SourceVPCEs":[ "vpce-050f79086ee71ac05" ], "SourceServices":[ "bedrock.amazonaws.com" ], }, { "Description":"Sales access", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/finance" ] } ], "AllowFromPublic":true } ]
This policy provides public access only to OpenSearch Dashboards for collections beginning with "finance". Any attempts to directly access the OpenSearch API will fail.
[ { "Description": "Dashboards access", "Rules": [ { "ResourceType": "dashboard", "Resource": [ "collection/finance*" ] } ], "AllowFromPublic": true } ]
Network policies can apply to existing collections as well as future collections. For example, you can create a collection and then create a network policy with a rule that matches the collection name. You don't need to create network policies before you create collections.
Considerations
Consider the following when you configure network access for your collections:
-
If you plan to configure VPC endpoint access for a collection, you must first create at least one OpenSearch Serverless-managed VPC endpoint.
-
Private access to Amazon Web Services only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if the
ResourceTypeisdashboard, Amazon Web Services cannot be granted access to OpenSearch Dashboards. -
If a collection is accessible from public networks, it's also accessible from all OpenSearch Serverless-managed VPC endpoints and all Amazon Web Services.
-
Multiple network policies can apply to a single collection. For more information, see Policy precedence.
Permissions required to configure network policies
Network access for OpenSearch Serverless uses the following Amazon Identity and Access Management (IAM) permissions. You can specify IAM conditions to restrict users to network policies associated with specific collections.
-
aoss:CreateSecurityPolicy– Create a network access policy. -
aoss:ListSecurityPolicies– List all network policies in the current account. -
aoss:GetSecurityPolicy– View a network access policy specification. -
aoss:UpdateSecurityPolicy– Modify a given network access policy, and change the VPC ID or public access designation. -
aoss:DeleteSecurityPolicy– Delete a network access policy (after it's detached from all collections).
The following identity-based access policy allows a user to view all network policies,
and update policies with the resource pattern
collection/application-logs:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aoss:UpdateSecurityPolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aoss:collection": "application-logs" } } }, { "Effect": "Allow", "Action": [ "aoss:ListSecurityPolicies", "aoss:GetSecurityPolicy" ], "Resource": "*" } ] }
Note
In addition, OpenSearch Serverless requires the aoss:APIAccessAll and
aoss:DashboardsAccessAll permissions for collection resources. For
more information, see Using OpenSearch
API operations.
Policy precedence
There can be situations where network policy rules overlap, within or across policies. When this happens, a rule that specifies public access overrides a rule that specifies private access for any collections that are common to both rules.
For example, in the following policy, both rules assign network access to the
finance collection, but one rule specifies VPC access while the other
specifies public access. In this situation, public access overrides VPC access
only for the finance collection (because it exists in both
rules), so the finance collection will be accessible from public networks. The sales
collection will have VPC access from the specified endpoint.
[ { "Description":"Rule 1", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/sales", "collection/finance" ] } ], "AllowFromPublic":false, "SourceVPCEs":[ "vpce-050f79086ee71ac05" ] }, { "Description":"Rule 2", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/finance" ] } ], "AllowFromPublic":true } ]
If multiple VPC endpoints from different rules apply to a collection, the rules are
additive and the collection will be accessible from all specified endpoints. If you set
AllowFromPublic to true but also provide one or more
SourceVPCEs or SourceServices, OpenSearch Serverless ignores the VPC
endpoints and service identifiers, and the associated collections will have public
access.
Creating network policies (console)
Network policies can apply to existing policies as well as future policies. We recommend that you create network policies before you start creating collections.
To create an OpenSearch Serverless network policy
-
Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home
. -
On the left navigation panel, expand Serverless and choose Network policies.
-
Choose Create network policy.
-
Provide a name and description for the policy.
-
Provide one or more rules. These rules define access permissions for your OpenSearch Serverless collections and their OpenSearch Dashboards endpoints.
Each rule contains the following elements:
Element Description Rule name A name that describes the contents of the rule. For example, "VPC access for marketing team". Access type Choose either public or private access. Then, select one or both of the following: -
VPC endpoints for access – Specify one or more OpenSearch Serverless-managed VPC endpoints–managed VPC endpoints.
-
Amazon Web Service private access – Select one or more supported Amazon Web Services.
Resource type Select whether to provide access to OpenSearch endpoints (which allows making calls to the OpenSearch API), to OpenSearch Dashboards (which allows access to visualizations and the user interface for OpenSearch plugins), or both. Note
Amazon Web Service private access only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if you select OpenSearch Dashboards, Amazon Web Services can only be granted endpoint access.
For each resource type that you select, you can choose existing collections to apply the policy settings to, and/or create one or more resource patterns. Resource patterns consist of a prefix and a wildcard (*), and define which collections the policy settings will apply to.
For example, if you include a pattern called
Marketing*, any new or existing collections whose names start with "Marketing" will have the network settings in this policy automatically applied to them. A single wildcard (*) applies the policy to all current and future collections.In addition, you can specify the name of a future collection without a wildcard, such as
Finance. OpenSearch Serverless will apply the policy settings to any newly created collection with that exact name. -
-
When you're satisfied with your policy configuration, choose Create.
Creating network policies (Amazon CLI)
To create a network policy using the OpenSearch Serverless API operations, you specify rules in JSON
format. The CreateSecurityPolicy request accepts both inline policies and .json files.
All collections and patterns must take the form collection/<collection
name|pattern>.
Note
The resource type dashboards only allows permission to
OpenSearch Dashboards, but in order for OpenSearch Dashboards to function, you must also allow
collection access from the same sources. See the second policy below for an
example.
To specify private access, include one or both of the following elements:
-
SourceVPCEs– Specify one or more OpenSearch Serverless–managed VPC endpoints. -
SourceServices– Specify the identifier of one or more supported Amazon Web Services. Currently, the following service identifiers are supported:-
bedrock.amazonaws.com– Amazon Bedrock
-
The following sample network policy provides private access, to a VPC endpoint and
Amazon Bedrock, to collection endpoints only for collections beginning with the prefix
log*. Authenticated users can't sign in to OpenSearch Dashboards; they can
only access the collection endpoint programmatically.
[ { "Description":"Private access for log collections", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/log*" ] } ], "AllowFromPublic":false, "SourceVPCEs":[ "vpce-050f79086ee71ac05" ], "SourceServices":[ "bedrock.amazonaws.com" ], } ]
The following policy provides public access to the OpenSearch endpoint
and OpenSearch Dashboards for a single collection named
finance. If the collection doesn't exist, the network settings will be
applied to the collection if and when it's created.
[ { "Description":"Public access for finance collection", "Rules":[ { "ResourceType":"dashboard", "Resource":[ "collection/finance" ] }, { "ResourceType":"collection", "Resource":[ "collection/finance" ] } ], "AllowFromPublic":true } ]
The following request creates the above network policy:
aws opensearchserverless create-security-policy \ --namesales-inventory\ --type network \ --policy "[{\"Description\":\"Public access for finance collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/finance\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/finance\"]}],\"AllowFromPublic\":true}]"
To provide the policy in a JSON file, use the format --policy
file://my-policy.json
Viewing network policies
Before you create a collection, you might want to preview the existing network policies in your account to see which one has a resource pattern that matches your collection's name. The following ListSecurityPolicies request lists all network policies in your account:
aws opensearchserverless list-security-policies --type network
The request returns information about all configured network policies. To view the
pattern rules defined in the one specific policy, find the policy information in the
contents of the securityPolicySummaries element in the response. Note the
name and type of this policy and use these properties in a
GetSecurityPolicy request to receive a response with the following policy
details:
{ "securityPolicyDetail": [ { "type": "network", "name": "my-policy", "policyVersion": "MTY2MzY5MTY1MDA3Ml8x", "policy": "[{\"Description\":\"My network policy rule\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection/*\"]}],\"AllowFromPublic\":true}]", "createdDate": 1663691650072, "lastModifiedDate": 1663691650072 } ] }
To view detailed information about a specific policy, use the GetSecurityPolicy command.
Updating network policies
When you modify the VPC endpoints or public access designation for a network, all associated collections are impacted. To update a network policy in the OpenSearch Serverless console, expand Network policies, select the policy to modify, and choose Edit. Make your changes and choose Save.
To update a network policy using the OpenSearch Serverless API, use the UpdateSecurityPolicy command. You must include a policy version in the
request. You can retrieve the policy version by using the
ListSecurityPolicies or GetSecurityPolicy commands.
Including the most recent policy version ensures that you don't inadvertently override a
change made by someone else.
The following request updates a network policy with a new policy JSON document:
aws opensearchserverless update-security-policy \ --name sales-inventory \ --type network \ --policy-versionMTY2MzY5MTY1MDA3Ml8x\ --policy file://my-new-policy.json
Deleting network policies
Before you can delete a network policy, you must detach it from all collections. To delete a policy in the OpenSearch Serverless console, select the policy and choose Delete.
You can also use the DeleteSecurityPolicy command:
aws opensearchserverless delete-security-policy --namemy-policy--type network