Network access for Amazon OpenSearch Serverless (original) (raw)

The network settings for an Amazon OpenSearch Serverless collection determine whether the collection is accessible over the internet from public networks, or whether it must be accessed privately.

Private access can apply to one or both of the following:

You can configure network access separately for a collection's_OpenSearch_ endpoint and its corresponding OpenSearch Dashboards endpoint.

Network access is the isolation mechanism for allowing access from different source networks. For example, if a collection's OpenSearch Dashboards endpoint is publicly accessible but the OpenSearch API endpoint isn't, a user can access the collection data only through Dashboards when connecting from a public network. If they try to call the OpenSearch APIs directly from a public network, they'll be blocked. Network settings can be used for such permutations of source to resource type. Amazon OpenSearch Serverless supports both IPv4 and IPv6 connectivity.

Topics

Network policies

Network policies let you manage many collections at scale by automatically assigning network access settings to collections that match the rules defined in the policy.

In a network policy, you specify a series of rules. These rule define access permissions to collection endpoints and OpenSearch Dashboards endpoints. Each rule consists of an access type (public or private) and a resource type (collection and/or OpenSearch Dashboards endpoint). For each resource type (collection anddashboard), you specify a series of rules that define which collection(s) the policy will apply to.

In this sample policy, the first rule specifies VPC endpoint access to both the collection endpoint and the Dashboards endpoint for all collections beginning with the termmarketing*. It also specifies Amazon Bedrock access.

Note

Private access to AWS services such as Amazon Bedrock only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if theResourceType is dashboard, AWS services cannot be granted access to OpenSearch Dashboards.

The second rule specifies public access to the finance collection, but only for the collection endpoint (no Dashboards access).

[
   {
      "Description":"Marketing access",
      "Rules":[
         {
            "ResourceType":"collection",
            "Resource":[
               "collection/marketing*"
            ]
         },
         {
            "ResourceType":"dashboard",
            "Resource":[
               "collection/marketing*"
            ]
         }
      ],
      "AllowFromPublic":false,
      "SourceVPCEs":[
         "vpce-050f79086ee71ac05"
      ],
      "SourceServices":[
         "bedrock.amazonaws.com"
      ],
   },
   {
      "Description":"Sales access",
      "Rules":[
         {
            "ResourceType":"collection",
            "Resource":[
               "collection/finance"
            ]
         }
      ],
      "AllowFromPublic":true
   }
]

This policy provides public access only to OpenSearch Dashboards for collections beginning with "finance". Any attempts to directly access the OpenSearch API will fail.

[
  {
    "Description": "Dashboards access",
    "Rules": [
      {
        "ResourceType": "dashboard",
        "Resource": [
          "collection/finance*"
        ]
      }
    ],
    "AllowFromPublic": true
  }
]

Network policies can apply to existing collections as well as future collections. For example, you can create a collection and then create a network policy with a rule that matches the collection name. You don't need to create network policies before you create collections.

Considerations

Consider the following when you configure network access for your collections:

Permissions required to configure network policies

Network access for OpenSearch Serverless uses the following AWS Identity and Access Management (IAM) permissions. You can specify IAM conditions to restrict users to network policies associated with specific collections.

The following identity-based access policy allows a user to view all network policies, and update policies with the resource patterncollection/application-logs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "aoss:UpdateSecurityPolicy"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aoss:collection": "application-logs"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "aoss:ListSecurityPolicies",
                "aoss:GetSecurityPolicy"
            ],
            "Resource": "*"
        }
    ]
}
Note

In addition, OpenSearch Serverless requires the aoss:APIAccessAll andaoss:DashboardsAccessAll permissions for collection resources. For more information, see Using OpenSearch API operations.

Policy precedence

There can be situations where network policy rules overlap, within or across policies. When this happens, a rule that specifies public access overrides a rule that specifies private access for any collections that are common to both rules.

For example, in the following policy, both rules assign network access to thefinance collection, but one rule specifies VPC access while the other specifies public access. In this situation, public access overrides VPC access_only for the finance collection_ (because it exists in both rules), so the finance collection will be accessible from public networks. The sales collection will have VPC access from the specified endpoint.

[
   {
      "Description":"Rule 1",
      "Rules":[
         {
            "ResourceType":"collection",
            "Resource":[
               "collection/sales",
               "collection/finance"
            ]
         }
      ],
      "AllowFromPublic":false,
      "SourceVPCEs":[
         "vpce-050f79086ee71ac05"
      ]
   },
   {
      "Description":"Rule 2",
      "Rules":[
         {
            "ResourceType":"collection",
            "Resource":[
               "collection/finance"
            ]
         }
      ],
      "AllowFromPublic":true
   }
]

If multiple VPC endpoints from different rules apply to a collection, the rules are additive and the collection will be accessible from all specified endpoints. If you setAllowFromPublic to true but also provide one or moreSourceVPCEs or SourceServices, OpenSearch Serverless ignores the VPC endpoints and service identifiers, and the associated collections will have public access.

Creating network policies (console)

Network policies can apply to existing policies as well as future policies. We recommend that you create network policies before you start creating collections.

To create an OpenSearch Serverless network policy
  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home.
  2. On the left navigation panel, expand Serverless and choose Network policies.
  3. Choose Create network policy.
  4. Provide a name and description for the policy.
  5. Provide one or more rules. These rules define access permissions for your OpenSearch Serverless collections and their OpenSearch Dashboards endpoints.
    Each rule contains the following elements:
    Element Description
    Rule name A name that describes the contents of the rule. For example, "VPC access for marketing team".
    Access type Choose either public or private access. Then, select one or both of the following: VPC endpoints for access – Specify one or more OpenSearch Serverless-managed VPC endpoints–managed VPC endpoints. AWS service private access – Select one or more supported AWS services.
    Resource type Select whether to provide access to OpenSearch endpoints (which allows making calls to the OpenSearch API), to OpenSearch Dashboards (which allows access to visualizations and the user interface for OpenSearch plugins), or both.NoteAWS service private access only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if you selectOpenSearch Dashboards, AWS services can only be granted endpoint access.
    For each resource type that you select, you can choose existing collections to apply the policy settings to, and/or create one or more resource patterns. Resource patterns consist of a prefix and a wildcard (*), and define which collections the policy settings will apply to.
    For example, if you include a pattern called Marketing*, any new or existing collections whose names start with "Marketing" will have the network settings in this policy automatically applied to them. A single wildcard (*) applies the policy to all current and future collections.
    In addition, you can specify the name of a future collection without a wildcard, such as Finance. OpenSearch Serverless will apply the policy settings to any newly created collection with that exact name.
  6. When you're satisfied with your policy configuration, chooseCreate.

Creating network policies (AWS CLI)

To create a network policy using the OpenSearch Serverless API operations, you specify rules in JSON format. The CreateSecurityPolicy request accepts both inline policies and .json files. All collections and patterns must take the form collection/<collection name|pattern>.

Note

The resource type dashboards only allows permission to OpenSearch Dashboards, but in order for OpenSearch Dashboards to function, you must also allow collection access from the same sources. See the second policy below for an example.

To specify private access, include one or both of the following elements:

The following sample network policy provides private access, to a VPC endpoint and Amazon Bedrock, to collection endpoints only for collections beginning with the prefixlog*. Authenticated users can't sign in to OpenSearch Dashboards; they can only access the collection endpoint programmatically.

[
   {
      "Description":"Private access for log collections",
      "Rules":[
         {
            "ResourceType":"collection",
            "Resource":[
               "collection/log*"
            ]
         }
      ],
      "AllowFromPublic":false,
      "SourceVPCEs":[
         "vpce-050f79086ee71ac05"
      ],
      "SourceServices":[
         "bedrock.amazonaws.com"
      ],
   }
]

The following policy provides public access to the OpenSearch endpoint_and_ OpenSearch Dashboards for a single collection namedfinance. If the collection doesn't exist, the network settings will be applied to the collection if and when it's created.

[
   {
      "Description":"Public access for finance collection",
      "Rules":[
         {
            "ResourceType":"dashboard",
            "Resource":[
               "collection/finance"
            ]
         },
         {
            "ResourceType":"collection",
            "Resource":[
               "collection/finance"
            ]
         }
      ],
      "AllowFromPublic":true
   }
]

The following request creates the above network policy:

aws opensearchserverless create-security-policy \
    --name sales-inventory \
    --type network \
    --policy "[{\"Description\":\"Public access for finance collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/finance\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/finance\"]}],\"AllowFromPublic\":true}]"

To provide the policy in a JSON file, use the format --policy file://`my-policy`.json

Viewing network policies

Before you create a collection, you might want to preview the existing network policies in your account to see which one has a resource pattern that matches your collection's name. The following ListSecurityPolicies request lists all network policies in your account:

aws opensearchserverless list-security-policies --type network

The request returns information about all configured network policies. To view the pattern rules defined in the one specific policy, find the policy information in the contents of the securityPolicySummaries element in the response. Note thename and type of this policy and use these properties in aGetSecurityPolicy request to receive a response with the following policy details: 

{
    "securityPolicyDetail": [
        {
            "type": "network",
            "name": "my-policy",
            "policyVersion": "MTY2MzY5MTY1MDA3Ml8x",
            "policy": "[{\"Description\":\"My network policy rule\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection/*\"]}],\"AllowFromPublic\":true}]",
            "createdDate": 1663691650072,
            "lastModifiedDate": 1663691650072
        }
    ]
}

To view detailed information about a specific policy, use the GetSecurityPolicy command.

Updating network policies

When you modify the VPC endpoints or public access designation for a network, all associated collections are impacted. To update a network policy in the OpenSearch Serverless console, expand Network policies, select the policy to modify, and chooseEdit. Make your changes and chooseSave.

To update a network policy using the OpenSearch Serverless API, use the UpdateSecurityPolicy command. You must include a policy version in the request. You can retrieve the policy version by using theListSecurityPolicies or GetSecurityPolicy commands. Including the most recent policy version ensures that you don't inadvertently override a change made by someone else.

The following request updates a network policy with a new policy JSON document:

aws opensearchserverless update-security-policy \
    --name sales-inventory \
    --type network \
    --policy-version MTY2MzY5MTY1MDA3Ml8x \
    --policy file://my-new-policy.json

Deleting network policies

Before you can delete a network policy, you must detach it from all collections. To delete a policy in the OpenSearch Serverless console, select the policy and chooseDelete.

You can also use the DeleteSecurityPolicy command:

aws opensearchserverless delete-security-policy --name my-policy --type network