Configuring Amazon OpenSearch Service domain security - Amazon Personalize
Policy examples for OpenSearch Service user or role
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring Amazon OpenSearch Service domain security

To use the plugin with OpenSearch Service, the user or role that's accessing your domain must have PassRole permissions for the IAM service role for OpenSearch Service you just created. Also, the user or role must have permission to perform the es:ESHttpGet and es:ESHttpPut actions.

For information about configuring access to OpenSearch Service, see Security in Amazon OpenSearch Service in the Amazon OpenSearch Service Developer Guide. For policy examples, see Policy examples for OpenSearch Service user or role.

Policy examples for OpenSearch Service user or role

The following IAM policy example grants a user or role PassRole permissions for the IAM service role that you created for OpenSearch Service in Configuring permissions when resources are in the same account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "OpenSearch Service role ARN"
        }
    ]
}

The following IAM policy grants the minimum permissions to create pipelines and search queries with OpenSearch Service.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "es:ESHttpGet",
                "es:ESHttpPut"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "aws:ResourceTag/environment": [
                        "production"
                    ]
                }
            }
        }
    ]
}