# Managing custom plugins in Amazon OpenSearch Service
Using custom plugins for OpenSearch Service, you can extend OpenSearch functionality in areas like language analysis, custom filtering, ranking and more, making it possible for you to craft personalized search experiences. Custom plugins for OpenSearch can be developed by extending the `org.opensearch.plugins.Plugin` class and then packaging it in a `.zip` file.
The following plugin extensions are currently supported by Amazon OpenSearch Service:
+ **AnalysisPlugin** – Extends analysis functionality by adding, for example, custom analyzers, character tokenizers, or filters for text processing.
+ **SearchPlugin** – Enhances search capabilities with custom query types, similarity algorithms, suggestion options, and aggregations.
+ **MapperPlugin** – Allows you to create custom field types and their mapping configurations in OpenSearch, enabling you to define how different types of data should be stored and indexed.
+ **ScriptPlugin** – Allows you to add custom scripting capabilities to OpenSearch, for example, custom scripts for operations like scoring, sorting, and field value transformations during search or indexing.
+ **SearchPipelinePlugin** – Allows you to tailor the search experience on Amazon OpenSearch Service by adding custom search pipeline capabilities — for example, custom `SearchPhaseResultsProcessor` implementations that run between search phases at the coordinating node level, hybrid search reranking to combine multiple scoring strategies, and federated search pipelines that aggregate results across multiple data sources.
You can use the OpenSearch Service console or existing API commands for custom packages to upload and associate the plugin with the Amazon OpenSearch Service cluster. You can also use the [DescribePackages](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_DescribePackages.html) command to describe all the packages in your account and to view details such as OpenSearch version and error details. OpenSearch Service validates plugin package for version compatibility, security vulnerabilities, and permitted plugin operations. For more information about custom packages, see [Importing and managing packages in Amazon OpenSearch Service](custom-packages.md).
**OpenSearch version and AWS Region support**
Custom plugins are supported on OpenSearch Service domains that are running OpenSearch version 2.15 in the following AWS Regions:
+ US East (Ohio) (us-east-2)
+ US East (N. Virginia) (us-east-1)
+ US West (Oregon) (us-west-2)
+ Asia Pacific (Mumbai) (ap-south-1)
+ Asia Pacific (Seoul) (ap-northeast-2)
+ Asia Pacific (Singapore) (ap-southeast-1)
+ Asia Pacific (Sydney) (ap-southeast-2)
+ Asia Pacific (Tokyo) (ap-northeast-1)
+ Canada (Central) (ca-central-1)
+ Europe (Frankfurt) (eu-central-1)
+ Europe (Ireland) (eu-west-1)
+ Europe (London) (eu-west-2)
+ Europe (Paris) (eu-west-3)
+ South America (São Paulo) (sa-east-1)
**Note**
Custom plugins contain user-developed code. Any issues, including SLA breaches, caused by user developed code aren't eligible for SLA credits. For more information, see [Amazon OpenSearch Service - Service Level Agreement](https://aws.amazon.com/opensearch-service/sla/).
**Topics**
+ [Plugin quotas](#plugin-limits)
+ [Prerequisites](#custom-plugin-prerequisites)
+ [Troubleshooting](#custom-plugin-troubleshooting)
+ [Installing a custom plugin using the console](#custom-plugin-install-console)
+ [Managing custom plugins using the AWS CLI](#managing-custom-plugins-cli)
+ [Amazon OpenSearch Service custom package AWS KMS integration](custom-package-kms-integration.md)
## Plugin quotas
+ You can create up to 25 custom plugins per account per Region.
+ The maximum uncompressed size for a plugin is 1 GB.
+ The maximum number of plugins that can be associated with a single domain is 20. This quota applies to all plugin types combined: optional, third-party, and custom.
+ Custom plugins are supported on domains running OpenSearch version 2.15 or later.
+ The `descriptor.properties` file for your plugin must support an engine version similar to 2.15.0 or any 2.x.x version, where the patch version is set to zero.
## Prerequisites
Before you install a custom plugin and associate it to a domain, make sure you meet the following requirements:
+ The supported engine version for the plugin in the `descriptor.properties` file should be similar to `2.15.0` or `2.x.0`. That is, the patch version must be zero.
+ The following features must be enabled on your domain:
+ [Node-to-node encryption](ntn.md)
+ [Encryption at rest](encryption-at-rest.md)
+ [`EnforceHTTPS` is set to 'true'](createupdatedomains.md)
See also [opensearch-https-required](https://docs.aws.amazon.com/config/latest/developerguide/opensearch-https-required.html) in the *AWS Config Developer Guide*.
+ Clients must support **Policy-Min-TLS-1-2-PFS-2023-10**. You can specify this support using the following command. Replace the *placeholder value* with your own information:
```
aws opensearch update-domain-config \
--domain-name domain-name \
--domain-endpoint-options '{"TLSSecurityPolicy":"Policy-Min-TLS-1-2-PFS-2023-10" }'
```
For more information, see [DomainEndpointOptions](https://docs.aws.amazon.com/opensearch-service/latest/APIReference/API_DomainEndpointOptions.html) in the *Amazon OpenSearch Service API Reference*.
## Troubleshooting
If the system returns the error `PluginValidationFailureReason : The provided plugin could not be loaded`, see [Custom plugin installation fails due to version compatibility](handling-errors.md#troubleshooting-custom-plugins) for troubleshooting information.
## Installing a custom plugin using the console
To associate a third-party plugin to a domain, first import the plugin license and configuration as packages.
**To install a custom plugin**
1. Sign in to the Amazon OpenSearch Service console at [https://console.aws.amazon.com/aos/home](https://console.aws.amazon.com/aos/home).
1. In the left navigation pane, choose **Packages**.
1. Choose **Import package**.
1. For **Name**, enter a unique, easily identifiable name for the plugin.
1. (Optional) For **Description**, provide any useful details about the package or its purpose.
1. For **Package type**, choose **Plugin**.
1. For **Package source**, enter the path or browse to the plugin ZIP file in Amazon S3.
1. For **OpenSearch engine version**, choose the version of OpenSearch that the plugin supports.
1. For **Package encryption**, choose whether to customize the encryption key for the package. By default, OpenSearch Service encrypts the plugin package with an AWS owned key. You can use a customer managed key instead.
1. Choose **Import**.
After you import the plugin package, associate it with a domain. For instructions, see [Import and associate a package to a domain](custom-packages.md#associate-console).
## Managing custom plugins using the AWS CLI
You can use the AWS CLI to manage a number of custom plugin tasks.
**Topics**
+ [Installing a custom plugin using the AWS CLI](#custom-plugin-install-cli)
+ [Updating a custom plugin using the AWS CLI](#custom-plugin-update-cli)
+ [Create or update a custom plugin with an AWS KMS key security](#custom-plugin-kms-key-security-cli)
+ [Upgrading an OpenSearch Service domain with custom plugins to a later version of OpenSearch using the AWS CLI](#custom-plugin-domain-upgrade-cli)
+ [Uninstalling and viewing the dissociation status of a custom plugin](#custom-plugin-uninstall-cli)
### Installing a custom plugin using the AWS CLI
**Before you begin**
Before you can associate a custom plugin with your domain, you must upload it to an Amazon Simple Storage Service (Amazon S3) bucket. The bucket must be located in the same AWS Region where you intend to use the plugin. For information about adding an object to an S3 bucket, see [Uploading objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/upload-objects.html) in the *Amazon Simple Storage Service User Guide*.
If your plugin contains sensitive information, specify server-side encryption with S3-managed keys when you upload it. After you upload the file, make note of its S3 path. The path format is `s3://amzn-s3-demo-bucket/file-path/file-name`.
**Note**
You can optionally secure a custom plugin when you create the plugin by specifying an AWS Key Management Service (AWS KMS) key. For information, see [Create or update a custom plugin with an AWS KMS key security](#custom-plugin-kms-key-security-cli).
**To install a custom plugin using the AWS CLI**
1. Create a new package for your custom plugin by running the following [create-package](https://docs.aws.amazon.com/cli/latest/reference/opensearch/create-package.html) command, ensuring that the following requirements are met:
+ The bucket and key location must point to the plugin `.zip` file in an S3 bucket in the account in which your are running the commands.
+ The S3 bucket must be in the same Region where the package is being created.
+ Only `.zip` files are supported for `ZIP-PLUGIN` packages.
+ The contents of the `.zip` file must follow directory structure as expected by the plugin.
+ The value for `--engine-version` must be in the format `OpenSearch_{MAJOR}.{MINOR}`. For example: **OpenSearch\$12.17**.
Replace the *placeholder values* with your own information:
```
aws opensearch create-package \
--package-name package-name \
--region region \
--package-type ZIP-PLUGIN \
--package-source S3BucketName=amzn-s3-demo-bucket,S3Key=s3-key \
--engine-version opensearch-version
```
1. (Optional) View the status of the `create-package` operation, including any validation and security vulnerability findings, by using the [describe-packages](https://docs.aws.amazon.com/cli/latest/reference/es/describe-packages.html) command. Replace the *placeholder values* with your own information:
```
aws opensearch describe-packages \
--region region \
--filters '[{"Name": "PackageType","Value": ["ZIP-PLUGIN"]}, {"Name": "PackageName","Value": ["package-name"]}]'
```
The command returns information similar to the following:
```
{
"PackageDetailsList": [{
"PackageID": "pkg-identifier",
"PackageName": "package-name",
"PackageType": "ZIP-PLUGIN",
"PackageStatus": "VALIDATION_FAILED",
"CreatedAt": "2024-11-11T13:07:18.297000-08:00",
"LastUpdatedAt": "2024-11-11T13:10:13.843000-08:00",
"ErrorDetails": {
"ErrorType": "",
"ErrorMessage": "PluginValidationFailureReason : Dependency Scan reported 3 vulnerabilities for the plugin: CVE-2022-23307, CVE-2019-17571, CVE-2022-23305"
},
"EngineVersion": "OpenSearch_2.15",
"AllowListedUserList": [],
"PackageOwner": "OWNER-XXXX"
}]
}
```
**Note**
During the `create-package` operation, Amazon OpenSearch Service checks the `ZIP-PLUGIN` value for version compatibility, supported plugin extensions, and security vulnerabilities. The security vulnerabilities are scanned using the [Amazon Inspector](https://aws.amazon.com/inspector/getting-started/) service. The results of these checks are shown in `ErrorDetails` field in the API response.
1. Use the [associate-package](https://docs.aws.amazon.com/cli/latest/reference/opensearch/associate-package.html) command to associate the plugin with the OpenSearch Service domain of your choice using the package ID of the package created in the previous step.
**Tip**
If you have multiple plugins, you can instead use the [associate-packages](https://docs.aws.amazon.com/cli/latest/reference/opensearch/associate-packages.html) command to associate multiple packages to a domain in single operation.
Replace the *placeholder values* with your own information:
```
aws opensearch associate-package \
--domain-name domain-name \
--region region \
--package-id package-id
```
**Note**
The plugin is installed and uninstalled using a [blue/green deployment process](managedomains-configuration-changes.md).
1. (Optional) Use the [list-packages-for-domain](https://docs.aws.amazon.com/cli/latest/reference/opensearch/list-packages-for-domain.html) command to view the status of the association. The association status changes as the workflow progresses from `ASSOCIATING` to `ACTIVE`. The association status changes to ACTIVE after the plugin installation completes and the plugin is ready for use.
Replace the *placeholder values* with your own information.
```
aws opensearch list-packages-for-domain \
--region region \
--domain-name domain-name
```
### Updating a custom plugin using the AWS CLI
Use the [update-package](https://docs.aws.amazon.com/cli/latest/reference/opensearch/update-package.html) command to make changes to a plugin.
**Note**
You can optionally secure a custom plugin when you update the plugin by specifying an AWS Key Management Service (AWS KMS) key. For information, see [Create or update a custom plugin with an AWS KMS key security](#custom-plugin-kms-key-security-cli).
**To update a custom plugin using the AWS CLI**
+ Run the following command. Replace the *placeholder values* with your own information.
```
aws opensearch update-package \
--region region \
--package-id package-id \
--package-source S3BucketName=amzn-s3-demo-bucket,S3Key=s3-key \
--package-description description
```
After updating a package, you can use the [associate-package](https://docs.aws.amazon.com/cli/latest/reference/opensearch/associate-package.html) or [associate-packages](https://docs.aws.amazon.com/cli/latest/reference/opensearch/associate-packages.html) command to apply package updates to a domain.
**Note**
You can audit, create, update, associate, and disassociate operations on the plugin using AWS CloudTrail. For more information, see [Monitoring Amazon OpenSearch Service API calls with AWS CloudTrail](managedomains-cloudtrailauditing.md).
### Create or update a custom plugin with an AWS KMS key security
You can secure a custom plugin when you create or update the plugin by specifying an AWS KMS key. To accomplish this, set `PackageEncryptionOptions` to `true` and specify the Amazon Resource Name (ARN) of the key, as shown in the following examples.
**Example: Create a custom plugin with AWS KMS key security**
```
aws opensearch create-package \
--region us-east-2 --package-name my-custom-package \
--package-type ZIP-PLUGIN \
--package-source S3BucketName=amzn-s3-demo-bucket,S3Key=my-s3-key
--engine-version OpenSearch_2.15
"PackageConfigOptions": {
...
}
"PackageEncryptionOptions": {
"Enabled": true,
"KmsKeyId":"arn:aws:kms:us-east-2:111222333444:key/2ba228d5-1d09-456c-ash9-daf42EXAMPLE"
}
```
**Example: Update a custom plugin with AWS KMS key security**
```
aws opensearch update-package \
--region us-east-2 --package-name my-custom-package \
--package-type ZIP-PLUGIN \
--package-source S3BucketName=amzn-s3-demo-bucket,S3Key=my-s3-key
--engine-version OpenSearch_2.15
"PackageConfigOptions": {
...
}
"PackageEncryptionOptions": {
"Enabled": true,
"KmsKeyId":"arn:aws:kms:us-east-2:111222333444:key/2ba228d5-1d09-456c-ash9-daf42EXAMPLE"
}
```
**Important**
If the AWS KMS key you specify is disabled or deleted, it can leave the associated cluster inoperational.
For more information about AWS KMS integration with custom packages, [Amazon OpenSearch Service custom package AWS KMS integration](custom-package-kms-integration.md).
### Upgrading an OpenSearch Service domain with custom plugins to a later version of OpenSearch using the AWS CLI
When you need to upgrade an OpenSearch Service domain that uses custom plugins to a later version of OpenSearch, complete the following processes.
**To upgrade an OpenSearch Service domain with custom plugins to a later version of OpenSearch using the AWS CLI**
1. Use the create-package command to create a new package for your plugin specifying the new OpenSearch version.
Ensure that package name is the same for the plugin for all engine versions. Changing the package name causes the domain upgrade process to fail during the blue/green deployment.
1. Upgrade your domain to the higher version by following the steps in [Upgrading Amazon OpenSearch Service domains](version-migration.md).
During this process, Amazon OpenSearch Service disassociates the previous version of the plugin package and installs the new version using a blue/green deployment.
### Uninstalling and viewing the dissociation status of a custom plugin
To uninstall the plugin from any domain, you can use the [dissociate-package](https://docs.aws.amazon.com/cli/latest/reference/es/dissociate-package.html) command. Running this command also removes any related configuration or license packages. You can then use the [list-packages-for-domain](https://docs.aws.amazon.com/cli/latest/reference/es/list-packages-for-domain.html) command to view the status of the dissociation.
**Tip**
You can also use [dissociate-packages](https://docs.aws.amazon.com/cli/latest/reference/opensearch/dissociate-packages.html) command to uninstall multiple plugins from a domain in a single operation.
**To uninstall and view the dissociation status of a custom plugin**
1. Disable the plugin in every index. This must be done before you dissociate the plugin package.
If you try to uninstall a plugin before disabling it from every index, the blue/green deployment process remains stuck in the `Processing` state.
1. Run the following command to uninstall the plugin. Replace the *placeholder values* with your own information.
```
aws opensearch dissociate-package \
--region region \
--package-id plugin-package-id \
--domain-name domain name
```
1. (Optional) Run the [list-packages-for-domain](https://docs.aws.amazon.com/cli/latest/reference/opensearch/list-packages-for-domain.html) command to view the status of the dissociation.
# Amazon OpenSearch Service custom package AWS KMS integration
Amazon OpenSearch Service custom packages provide encryption by default to protect your `ZIP-PLUGIN` packages at rest using AWS managed keys.
+ **AWS owned keys** – Amazon OpenSearch Service custom packages use these keys by default to automatically encrypt your `ZIP-PLUGIN` packages. You can't view, manage, or use AWS owned keys or audit their use. However, you don't need to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*.
+ **Customer managed keys** – You can add a second layer of encryption over the existing AWS owned keys by choosing a customer managed key when you create your `ZIP-PLUGIN` custom package.
Amazon OpenSearch Service custom packages support using a symmetric customer managed key that you create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. Because you have full control of this layer of encryption, you can perform the following tasks:
+ Establish and maintain key policies
+ Establish and maintain AWS Identity and Access Management (IAM) policies and grants
+ Enable and disable key policies
+ Rotate key cryptographic material
+ Add tags
+ Create key aliases
+ Schedule keys for deletion
For more information, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
**Note**
Amazon OpenSearch Service custom packages automatically enables encryption at rest using AWS owned keys at no charge. However, AWS KMS charges apply when you use a customer managed key. For more information about pricing, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
## How Amazon OpenSearch Service custom packages service uses grants in AWS KMS
OpenSearch Service custom packages require a grant to use your customer managed key.
When you create a `ZIP-PLUGIN` package encrypted with a customer managed key, the Amazon OpenSearch Service custom packages service creates a grant on your behalf by sending a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS. Grants in AWS KMS give OpenSearch Service access to a AWS KMS key in your account. The grants created by OpenSearch Service custom packages have a constraint that allows operations only when the request includes an encryption context with your custom package ID.
Amazon OpenSearch Service custom packages require the grant to use your customer managed key for the following internal operations:
| Operation | Description |
| --- | --- |
| DescribeKey | Sends DescribeKey requests to AWS KMS to verify that the symmetric customer managed key ID entered when creating the plugin package is valid. |
| GenerateDataKeyWithoutPlaintext | Sends GenerateDataKeyWithoutPlaintext requests to AWS KMS to generate data keys encrypted by your customer managed key. |
| GenerateDataKey | Sends GenerateDataKey requests to AWS KMS to generate data keys to encrypt the package when copying it internally. |
| Decrypt | Sends Decrypt requests to AWS KMS to decrypt the encrypted data keys so they can be used to decrypt your data. |
You can revoke access to the grant or remove the service's access to the customer managed key at any time. If you do, OpenSearch Service won't be able to access any data encrypted by the customer managed key, which affects operations that depend on that data. For example, if you attempt to associate a plugin package that OpenSearch Service can't access, the operation returns an `AccessDeniedException` error.
## Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console or the AWS KMS APIs.
**To create a symmetric customer managed key**
+ Follow the steps in [Creating a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.
### Key policy
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
To use your customer managed key with your plugin resources, you must permit the following API operations in the key policy:
+ `kms:CreateGrant` – Adds a grant to a customer managed key. Grants control access to a specified AWS KMS key, allowing access to grant operations that OpenSearch Service custom packages require. For more information about using grants, see the [AWS KMS Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html).
This allows OpenSearch Service to do the following:
+ Call `GenerateDataKeyWithoutPlainText` to generate an encrypted data key and store it for further validations.
+ Call `GenerateDataKey` to copy the plugin package internally.
+ Call `Decrypt` to access the plugin package internally.
+ Set up a retiring principal to allow the service to `RetireGrant`.
+ `kms:DescribeKey` – Provides the customer managed key details to allow OpenSearch Service to validate the key.
+ `kms:GenerateDataKey`, `kms:GenerateDataKeyWithoutPlaintext`, `kms:Decrypt` – Gives OpenSearch Service custom packages access to use these operations in the grant.
The following are policy statement examples you can add for OpenSearch Service custom packages:
```
"Statement" : [
{
"Sid" : "Allow access to principals authorized to use OpenSearch Service custom packages",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:ViaService" : "custom-packages.region.amazonaws.com"
},
"StringEquals" : {
"kms:EncryptionContext:packageId": "Id of the package"
}
}
},
{
"Sid" : "Allow access to principals authorized to use Amazon OpenSearch Service custom packages",
"Effect" : "Allow",
"Principal" : {
"AWS" : "*"
},
"Action" : [
"kms:DescribeKey"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"kms:ViaService" : "custom-packages.region.amazonaws.com"
}
}
}
]
```
For more information about specifying permissions in a policy, see [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
For more information about troubleshooting key access, see [Troubleshooting AWS KMS permissions](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html) in the *AWS Key Management Service Developer Guide*.
## Specify a customer managed key for Amazon OpenSearch Service custom packages
You can specify a customer managed key as a second layer of encryption for your `ZIP-PLUGIN` packages.
When you create a plugin package, you can specify the data key by entering a AWS KMS key ID, which OpenSearch Service custom packages use to encrypt the plugin package.
*AWS KMS key ID* — A key identifier for a AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN.
## Amazon OpenSearch Service custom packages encryption context
An encryption context is an optional set of key-value pairs that contain additional contextual information about the data.
AWS KMS uses the encryption context as additional authenticated data to support authenticated encryption. When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request.
### Amazon OpenSearch Service custom packages encryption context
Amazon OpenSearch Service custom packages use the same encryption context in all AWS KMS cryptographic operations, where the key is `packageId` and the value is the `package-id` of your plugin package.
### Use encryption context for monitoring
When you use a symmetric customer managed key to encrypt your plugin package, you can use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in logs generated by AWS CloudTrail or Amazon CloudWatch Logs.
### Using encryption context to control access to your customer managed key
You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key. You can also use encryption context constraints in a grant.
OpenSearch Service custom packages use an encryption context constraint in grants to control access to the customer managed key in your account or Region. The grant constraint requires that the operations that the grant allows use the specified encryption context.
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context.
```
{
"Sid": "Enable DescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Enable OpenSearch Service custom packages to use the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action" : [
"kms:CreateGrant",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals" : {
"kms:EncryptionContext:packageId": "ID of the package"
}
}
}
```
## Monitoring your encryption keys for OpenSearch custom packages service
When you use an AWS KMS customer managed key with your OpenSearch Service custom packages service resources, you can use CloudTrail or CloudWatch Logs to track requests that OpenSearch custom packages send to AWS KMS.
**Learn more**
The following resources provide more information about data encryption at rest.
+ For more information about AWS KMS basic concepts, see [AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) in the *AWS Key Management Service Developer Guide*.
+ For more information about security best practices for AWS KMS, see the *AWS Prescriptive Guidance* guide for [AWS Key Management Service best practices](https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html).