Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

AWS managed policies for Amazon OpenSearch Service

PDF
RSS
Focus mode
AWS managed policies for Amazon OpenSearch Service - Amazon OpenSearch Service
AmazonOpenSearchDirectQueryGlueCreateAccessAmazonOpenSearchServiceFullAccessAmazonOpenSearchServiceReadOnlyAccessAmazonOpenSearchServiceRolePolicyAmazonOpenSearchServiceCognitoAccessAmazonOpenSearchIngestionServiceRolePolicyOpenSearchIngestionSelfManagedVpcePolicyAmazonOpenSearchIngestionFullAccessAmazonOpenSearchIngestionReadOnlyAccessAmazonOpenSearchServerlessServiceRolePolicyPolicy updates

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

For more information, see AWS managed policies in the IAM User Guide.

AmazonOpenSearchDirectQueryGlueCreateAccess

Grants Amazon OpenSearch Service Direct Query Service access to the CreateDatabase, CreatePartition,CreateTable, and BatchCreatePartition AWS Glue API.

You can find the AmazonOpenSearchDirectQueryGlueCreateAccess policy in the IAM console.

AmazonOpenSearchServiceFullAccess

Grants full access to the OpenSearch Service configuration API operations and resources for an AWS account.

You can find the AmazonOpenSearchServiceFullAccess policy in the IAM console.

AmazonOpenSearchServiceReadOnlyAccess

Grants read-only access to all OpenSearch Service resources for an AWS account.

You can find the AmazonOpenSearchServiceReadOnlyAccess policy in the IAM console.

AmazonOpenSearchServiceRolePolicy

You can't attach AmazonOpenSearchServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Service to access account resources. For more information, see Permissions.

You can find the AmazonOpenSearchServiceRolePolicy policy in the IAM console.

AmazonOpenSearchServiceCognitoAccess

Provides the minimum Amazon Cognito permissions necessary to enable Cognito authentication.

You can find the AmazonOpenSearchServiceCognitoAccess policy in the IAM console.

AmazonOpenSearchIngestionServiceRolePolicy

You can't attach AmazonOpenSearchIngestionServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Ingestion to enable VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account. For more information, see Using service-linked roles for Amazon OpenSearch Service.

You can find the AmazonOpenSearchIngestionServiceRolePolicy policy in the IAM console.

OpenSearchIngestionSelfManagedVpcePolicy

You can't attach OpenSearchIngestionSelfManagedVpcePolicy to your IAM entities. This policy is attached to a service-linked role that allows OpenSearch Ingestion to enable self-managed VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account. For more information, see Using service-linked roles for Amazon OpenSearch Service.

You can find the OpenSearchIngestionSelfManagedVpcePolicy policy in the IAM console.

AmazonOpenSearchIngestionFullAccess

Grants full access to the OpenSearch Ingestion API operations and resources for an AWS account.

You can find the AmazonOpenSearchIngestionFullAccess policy in the IAM console.

AmazonOpenSearchIngestionReadOnlyAccess

Grants read-only access to all OpenSearch Ingestion resources for an AWS account.

You can find the AmazonOpenSearchIngestionReadOnlyAccess policy in the IAM console.

AmazonOpenSearchServerlessServiceRolePolicy

Provides the minimum Amazon CloudWatch permissions necessary to send OpenSearch Serverless metric data to CloudWatch.

You can find the AmazonOpenSearchServerlessServiceRolePolicy policy in the IAM console.

OpenSearch Service updates to AWS managed policies

View details about updates to AWS managed policies for OpenSearch Service since this service began tracking changes.

Change Description Date

Updated AmazonOpenSearchServerlessServiceRolePolicy

Added the Sid AllowAOSSCloudwatchMetrics to the policy AmazonOpenSearchServerlessServiceRolePolicy. A Sid is a statement ID that acts as an optional identifier for the policy statement.

 12 July 2024

Added OpenSearchIngestionSelfManagedVpcePolicy

A new policy that allows OpenSearch Ingestion to enable self-managed VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account.

For the policy JSON, see the IAM console.

 12 June 2024

AddedAmazonOpenSearchDirectQueryGlueCreateAccess

Grants Amazon OpenSearch Service Direct Query Service access to the CreateDatabase, CreatePartition,CreateTable, and BatchCreatePartition AWS Glue API.

 6 May 2024

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added the permissions necessary for the service-linked role to assign and unassign IPv6 addresses.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

18 October 2023

Added AmazonOpenSearchIngestionServiceRolePolicy

A new policy that allows OpenSearch Ingestion to enable VPC access for ingestion pipelines, create tags, and publish ingestion-related CloudWatch metrics to your account.

For the policy JSON, see the IAM console.

26 April 2023

Added AmazonOpenSearchIngestionFullAccess

A new policy that grants full access to the OpenSearch Ingestion API operations and resources for an AWS account.

For the policy JSON, see the IAM console.

26 April 2023

Added AmazonOpenSearchIngestionReadOnlyAccess

A new policy that grants read-only access to all OpenSearch Ingestion resources for an AWS account.

For the policy JSON, see the IAM console.

26 April 2023

Added AmazonOpenSearchServerlessServiceRolePolicy

A new policy that provides the minimum permissions necessary to send OpenSearch Serverless metric data to Amazon CloudWatch.

For the policy JSON, see the IAM console.

29 November 2022

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added the permissions necessary for the service-linked role to create OpenSearch Service-managed VPC endpoints. Some actions can only be performed when the request contains the tag OpenSearchManaged=true.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

7 November 2022

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added support for the PutMetricData action, which is required to publish OpenSearch cluster metrics to Amazon CloudWatch.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

For the policy JSON, see the IAM console.

12 September 2022

Updated AmazonOpenSearchServiceRolePolicy and AmazonElasticsearchServiceRolePolicy

Added support for the acm resource type. The policy provides the minimum AWS Certificate Manager (ACM) read-only permission necessary for the service-linked role to verify and validate ACM resources in order to create and update custom endpoint enabled domains.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

28 July 2022

Updated AmazonOpenSearchServiceCognitoAccess and AmazonESCognitoAccess

Added support for the UpdateUserPoolClient action, which is required to set Cognito user pool configuration during upgrade from Elasticsearch to OpenSearch.

Corrected permissions for the SetIdentityPoolRoles action to allow access to all resources.

The deprecated Elasticsearch policy has also been updated to ensure backwards compatibility.

20 December 2021

Updated AmazonOpenSearchServiceRolePolicy

Added support for the security-group resource type. The policy provides the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the service-linked role to enable VPC access.

9 September 2021

  • Added AmazonOpenSearchServiceFullAccess

  • Deprecated AmazonESFullAccess

This new policy is meant to replace the old policy. Both policies provide full access to the OpenSearch Service configuration API and all HTTP methods for the OpenSearch APIs. Fine-grained access control and resource-based policies can still restrict access.

7 September 2021

  • Added AmazonOpenSearchServiceReadOnlyAccess

  • Deprecated AmazonESReadOnlyAccess

This new policy is meant to replace the old policy. Both policies provide read-only access to the OpenSearch Service configuration API (es:Describe*, es:List*, and es:Get*) and no access to the HTTP methods for the OpenSearch APIs.

7 September 2021

  • Added AmazonOpenSearchServiceCognitoAccess

  • Deprecated AmazonESCognitoAccess

This new policy is meant to replace the old policy. Both policies provide the minimum Amazon Cognito permissions necessary to enable Cognito authentication.

7 September 2021

This new policy is meant to replace the old policy. Both policies provide the minimum Amazon EC2 and Elastic Load Balancing permissions necessary for the service-linked role to enable VPC access.

7 September 2021

Started tracking changes

Amazon OpenSearch Service now tracks changes to AWS-managed policies.

7 September 2021

On this page

Related resources

Amazon OpenSearch Service API Reference
AWS CLI commands for Amazon OpenSearch Service
SDKs & Tools 

Related resources

Amazon OpenSearch Service API Reference
AWS CLI commands for Amazon OpenSearch Service
SDKs & Tools 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.