403 on opensearch serverless dashboard url

0

I am setting up opoensearch zero-ETl integration with DynamoDB. Howewver, I am not able to open the link for dashboard or the opsnserach endpoint. It retuens {"status":403,"request-id":"751d3bfa-5eb9-9256-8ee6-056da20f1f60","error":{"reason":"403 Forbidden","type":"Forbidden"}}. How can I make sure the link is publicly accessible for anyone.

3 Answers
0

The domain access policy for OpenSearch Serverless can be found and configured in the Amazon OpenSearch Service console.

When you create or select an OpenSearch Serverless domain (COLLECTION), you can view and edit the access policy settings from the "Security and access policies" section.

This allows you to configure permissions for:

Network access - Specify IP ranges or VPCs that can access the OpenSearch endpoint.

Data access policies - Control access to indices and documents down to the field level.

Fine-grained access control - Restrict user permissions within OpenSearch Dashboards.

You can attach IAM policies to allow management of these access policies. For example, to update network access policies for a specific collection.

profile picture
answered 23 days ago
  • Hi Thanks for th reply. But I cant find Fine-grained access control under opensearch serverless. Network access is set to public. But still getting 403.

0

Configure your domain access policy to allow anonymous access. By default it is restricted to authenticated users only. In the domain access policy, add a statement allowing the "" principal to perform the "es:" actions.

This will open up access to both the OpenSearch API endpoint and the dashboard URL to unauthenticated public users. You can also restrict access to specific IP ranges or CIDR blocks if you don't want fully public access.

Be aware that allowing anonymous access may pose security risks, so only do this for non-sensitive data or dashboards. For sensitive use cases, use Amazon Cognito authentication instead.

profile picture
answered 23 days ago
0

I think what you are saying is applicable for opensearch alone and not opensearch serverless. I dont see domain access policy / congnito access options in opensearch serverless although I can see the options under opensearch. Please clarify.

answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions