AWS::OpenSearchServerless::SecurityPolicy
Creates an encryption or network policy to be used by one or more OpenSearch Serverless collections.
Network policies specify access to a collection and its OpenSearch Dashboards endpoint from public networks or specific VPC endpoints. For more information, see Network access for Amazon OpenSearch Serverless.
Encryption policies specify a KMS encryption key to assign to particular collections. For more information, see Encryption at rest for Amazon OpenSearch Serverless.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::OpenSearchServerless::SecurityPolicy", "Properties" : { "Description" :String, "Name" :String, "Policy" :String, "Type" :String} }
YAML
Type: AWS::OpenSearchServerless::SecurityPolicy Properties: Description:StringName:StringPolicy:StringType:String
Properties
Description-
The description of the security policy.
Required: No
Type: String
Minimum:
1Maximum:
1000Update requires: No interruption
Name-
The name of the policy.
Required: Yes
Type: String
Pattern:
^[a-z][a-z0-9-]{2,31}$Minimum:
3Maximum:
32Update requires: Replacement
Policy-
The JSON policy document without any whitespaces.
Required: Yes
Type: String
Pattern:
[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]+Minimum:
1Maximum:
20480Update requires: No interruption
Type-
The type of security policy. Can be either
encryptionornetwork.Required: Yes
Type: String
Allowed values:
encryption | networkUpdate requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref returns the name of the security policy. For more information
about using the Ref function, see Ref.
Examples
Create an encryption policy
The following example specifies an OpenSearch Serverless encryption policy
named logs-encryption-policy with an AWS owned
key. The policy will apply to all future collections with names that begin with
"logs".
For a complete sample policy that creates network, encryption, and access policies, as well as a matching collection, see Using AWS CloudFormation to create Amazon OpenSearch Serverless collections in the Amazon OpenSearch Service Developer Guide.
JSON
{ "Description":"OpenSearch Serverless encryption policy template", "Resources":{ "TestSecurityPolicy":{ "Type":"AWS::OpenSearchServerless::SecurityPolicy", "Properties":{ "Name":"logs-encryption-policy", "Type":"encryption", "Description":"Encryption policy for test collections", "Policy":"{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection/logs*\"]}],\"AWSOwnedKey\":true}" } } } }
YAML
Description: OpenSearch Serverless encryption policy template Resources: TestSecurityPolicy: Type: 'AWS::OpenSearchServerless::SecurityPolicy' Properties: Name: logs-encryption-policy Type: encryption Description: Encryption policy for test collections Policy: >- {"Rules":[{"ResourceType":"collection","Resource":["collection/logs*"]}],"AWSOwnedKey":true}
Create a network policy
The following example specifies an OpenSearch Serverless network policy named
logs-network-policy. It provides public access to OpenSearch
endpoints and OpenSearch Dashboards endpoints. The policy will apply to all
collections with names that begin with "logs".
JSON
{ "Description":"OpenSearch Serverless network policy template", "Resources":{ "SecurityPolicy":{ "Type":"AWS::OpenSearchServerless::SecurityPolicy", "Properties":{ "Name":"logs-network-policy", "Type":"network", "Description":"Network policy for test collections", "Policy":"[{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection/logs*\"]}, {\"ResourceType\":\"dashboard\",\"Resource\":[\"collection/logs*\"]}],\"AllowFromPublic\":true}]" } } } }
YAML
Description: OpenSearch Serverless network policy template Resources: SecurityPolicy: Type: 'AWS::OpenSearchServerless::SecurityPolicy' Properties: Name: logs-network-policy Type: network Description: Network policy for test collections Policy >- [{"Rules":[{"ResourceType":"collection","Resource":["collection/logs*"]}, {"ResourceType":"dashboard","Resource":["collection/logs*"]}],"AllowFromPublic":true}]
