Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

AWS::OpenSearchServerless::SecurityConfig

RSS
Focus mode
AWS::OpenSearchServerless::SecurityConfig - AWS CloudFormation
SyntaxPropertiesReturn valuesExamples
Filter View

Specifies a security configuration for OpenSearch Serverless. For more information, see SAML authentication for Amazon OpenSearch Serverless.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::OpenSearchServerless::SecurityConfig",
  "Properties" : {
      "Description" : String,
      "IamIdentityCenterOptions" : IamIdentityCenterConfigOptions,
      "Name" : String,
      "SamlOptions" : SamlConfigOptions,
      "Type" : String
    }
}

YAML

Type: AWS::OpenSearchServerless::SecurityConfig
Properties:
  Description: String
  IamIdentityCenterOptions: 
    IamIdentityCenterConfigOptions
  Name: String
  SamlOptions: 
    SamlConfigOptions
  Type: String

Properties

Description

The description of the security configuration.

Required: No

Type: String

Minimum: 1

Maximum: 1000

Update requires: No interruption

IamIdentityCenterOptions

Describes IAM Identity Center options in the form of a key-value map.

Required: No

Type: IamIdentityCenterConfigOptions

Update requires: No interruption

Name

The name of the security configuration.

Required: No

Type: String

Pattern: ^[a-z][a-z0-9-]{2,31}$

Minimum: 3

Maximum: 32

Update requires: Replacement

SamlOptions

SAML options for the security configuration in the form of a key-value map.

Required: No

Type: SamlConfigOptions

Update requires: No interruption

Type

The type of security configuration. Currently the only option is saml.

Required: No

Type: String

Allowed values: saml | iamidentitycenter

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the ID of the security configuration. For more information about using the Ref function, see Ref.

Fn::GetAtt

GetAtt returns a value for a specified attribute of this type. For more information, see Fn::GetAtt. The following are the available attributes and sample return values.

IamIdentityCenterOptions.ApplicationArn

Property description not available.

IamIdentityCenterOptions.ApplicationDescription

Property description not available.

IamIdentityCenterOptions.ApplicationName

Property description not available.

Id

The unique identifier of the security configuration. For example, saml/123456789012/myprovider.

Examples

Create a security configuration that specifies a YAML provider

The following example specifies an OpenSearch Serverless SAML provider named my-provider with a custom group attribute ALLGroups.

JSON

{
   "AWSTemplateFormatVersion":"2010-09-09",
   "Description":"OpenSearch Serverless security policy template",
   "Resources":{
      "TestSecurityConfig":{
         "Type":"AWS::OpenSearchServerless::SecurityConfig",
         "Properties":{
            "Name":"my-provider",
            "Type":"saml",
            "Description":"Serverless SAML configuration",
            "SamlOptions":{
               "Metadata":"<?xml version=\"1.0\"
                encoding=\"UTF-8\"?><md:EntityDescriptor
                entityID=\"http://www.okta.com/foobar\"
                xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\"><md:IDPSSODescriptor
                WantAuthnRequestsSigned=\"false\"
                protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor
                use=\"signing\"><ds:KeyInfo
                xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>Mfoobar</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService
                Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\"
                Location=\"https://trial-1234567.okta.com/app/trial-1234567_saml2_1/foobar/sso/saml\"/><md:SingleSignOnService
                Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\"
                Location=\"https://trial-1234567.okta.com/app/trial-1234567_saml2_1/foobar/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
               "UserAttribute":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
               "GroupAttribute":"ALLGroups",
               "SessionTimeout":120
            }
         }
      }
   }
}

YAML

Description: OpenSearch Serverless security policy template
Resources:
  TestSecurityConfig:
      Type: 'AWS::OpenSearchService::Domain'
      Properties:
        Name: my-provider
        Type: saml
        Description: Serverless SAML configuration
        SamlOptions:
          Metadata: >- 
             <?xml
             version="1.0" encoding="UTF-8"?><md:EntityDescriptor
             entityID="http://www.okta.com/foobar"
             xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor
             WantAuthnRequestsSigned="false"
             protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor
             use="signing"><ds:KeyInfo
             xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>Mfoobar</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService
             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
             Location="https://trial-1234567.okta.com/app/trial-1234567_saml2_1/foobar/sso/saml"/><md:SingleSignOnService
             Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
             Location="https://trial-1234567.okta.com/app/trial-1234567_saml2_1/foobar/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
             UserAttribute: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier'
             GroupAttribute: ALLGroups SessionTimeout: 120

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.