By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Limit actions within Opensearch Serverless IAM policy

0

I'm trying to limit the actions given within my IAM role statement but it is only working when full access is given (aoss:*). I'm trying to limit this down to only allow users to have minimum access to the collection.

Below is my working example:

iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

I have had a look at the documentation and implemented the full list of actions to then try eliminate one by one, but with the full action list added it is still throwing an error. The example is shown below.

iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:BatchGetCollection
                  - aoss:BatchGetVpcEndpoint
                  - aoss:CreateAccessPolicy
                  - aoss:CreateCollection
                  - aoss:CreateSecurityConfig
                  - aoss:CreateSecurityPolicy
                  - aoss:CreateVpcEndpoint
                  - aoss:DeleteAccessPolicy
                  - aoss:DeleteSecurityConfig
                  - aoss:DeleteSecurityPolicy
                  - aoss:DeleteVpcEndpoint
                  - aoss:GetAccessPolicy
                  - aoss:GetAccountSettings
                  - aoss:GetPoliciesStats
                  - aoss:GetSecurityConfig
                  - aoss:GetSecurityPolicy
                  - aoss:ListAccessPolicies
                  - aoss:ListCollections
                  - aoss:ListSecurityConfigs
                  - aoss:ListSecurityPolicies
                  - aoss:ListTagsForResource
                  - aoss:ListVpcEndpoints
                  - aoss:UpdateAccessPolicy
                  - aoss:UpdateAccountSettings
                  - aoss:UpdateSecurityConfig
                  - aoss:UpdateSecurityPolicy
                  - aoss:UpdateVpcEndpoint
              Resource:
                  - '*'

Any help would be greatly appreciated!

Topics
Security, Identity, & ComplianceAnalyticsDatabase
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon OpenSearch Serverless
Language
English
pabs
asked 9 months ago443 views
1 Answer
0

Hello.
What error messages are you getting?

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • pabs
    9 months ago

    It's returning a 403 Forbidden error.

  • Riku_Kobayashi EXPERT
    9 months ago

    Am I correct in assuming that the following policies are working properly? By the way, is this policy the one used by IAM users, etc.?

    iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content