Network access for Amazon OpenSearch Serverless - Amazon OpenSearch Service

Network access for Amazon OpenSearch Serverless

The network settings for an Amazon OpenSearch Serverless collection determine whether the collection is accessible over the internet from public networks, or whether it must be accessed privately.

Private access can apply to one or both of the following:

  • OpenSearch Serverless-managed VPC endpoints

  • Supported AWS services such as Amazon Bedrock

You can configure network access separately for a collection's OpenSearch endpoint and its corresponding OpenSearch Dashboards endpoint.

Network access is the isolation mechanism for allowing access from different source networks. For example, if a collection's OpenSearch Dashboards endpoint is publicly accessible but the OpenSearch API endpoint isn't, a user can access the collection data only through Dashboards when connecting from a public network. If they try to call the OpenSearch APIs directly from a public network, they'll be blocked. Network settings can be used for such permutations of source to resource type. Amazon OpenSearch Serverless supports both IPv4 and IPv6 connectivity.

Network policies

Network policies let you manage many collections at scale by automatically assigning network access settings to collections that match the rules defined in the policy.

In a network policy, you specify a series of rules. These rule define access permissions to collection endpoints and OpenSearch Dashboards endpoints. Each rule consists of an access type (public or private) and a resource type (collection and/or OpenSearch Dashboards endpoint). For each resource type (collection and dashboard), you specify a series of rules that define which collection(s) the policy will apply to.

In this sample policy, the first rule specifies VPC endpoint access to both the collection endpoint and the Dashboards endpoint for all collections beginning with the term marketing*. It also specifies Amazon Bedrock access.

Note

Private access to AWS services such as Amazon Bedrock only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if the ResourceType is dashboard, AWS services cannot be granted access to OpenSearch Dashboards.

The second rule specifies public access to the finance collection, but only for the collection endpoint (no Dashboards access).

[ { "Description":"Marketing access", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/marketing*" ] }, { "ResourceType":"dashboard", "Resource":[ "collection/marketing*" ] } ], "AllowFromPublic":false, "SourceVPCEs":[ "vpce-050f79086ee71ac05" ], "SourceServices":[ "bedrock.amazonaws.com" ], }, { "Description":"Sales access", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/finance" ] } ], "AllowFromPublic":true } ]

This policy provides public access only to OpenSearch Dashboards for collections beginning with "finance". Any attempts to directly access the OpenSearch API will fail.

[ { "Description": "Dashboards access", "Rules": [ { "ResourceType": "dashboard", "Resource": [ "collection/finance*" ] } ], "AllowFromPublic": true } ]

Network policies can apply to existing collections as well as future collections. For example, you can create a collection and then create a network policy with a rule that matches the collection name. You don't need to create network policies before you create collections.

Considerations

Consider the following when you configure network access for your collections:

  • If you plan to configure VPC endpoint access for a collection, you must first create at least one OpenSearch Serverless-managed VPC endpoint.

  • Private access to AWS services only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if the ResourceType is dashboard, AWS services cannot be granted access to OpenSearch Dashboards.

  • If a collection is accessible from public networks, it's also accessible from all OpenSearch Serverless-managed VPC endpoints and all AWS services.

  • Multiple network policies can apply to a single collection. For more information, see Policy precedence.

Permissions required to configure network policies

Network access for OpenSearch Serverless uses the following AWS Identity and Access Management (IAM) permissions. You can specify IAM conditions to restrict users to network policies associated with specific collections.

  • aoss:CreateSecurityPolicy – Create a network access policy.

  • aoss:ListSecurityPolicies – List all network policies in the current account.

  • aoss:GetSecurityPolicy – View a network access policy specification.

  • aoss:UpdateSecurityPolicy – Modify a given network access policy, and change the VPC ID or public access designation.

  • aoss:DeleteSecurityPolicy – Delete a network access policy (after it's detached from all collections).

The following identity-based access policy allows a user to view all network policies, and update policies with the resource pattern collection/application-logs:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "aoss:UpdateSecurityPolicy" ], "Resource": "*", "Condition": { "StringEquals": { "aoss:collection": "application-logs" } } }, { "Effect": "Allow", "Action": [ "aoss:ListSecurityPolicies", "aoss:GetSecurityPolicy" ], "Resource": "*" } ] }
Note

In addition, OpenSearch Serverless requires the aoss:APIAccessAll and aoss:DashboardsAccessAll permissions for collection resources. For more information, see Using OpenSearch API operations.

Policy precedence

There can be situations where network policy rules overlap, within or across policies. When this happens, a rule that specifies public access overrides a rule that specifies private access for any collections that are common to both rules.

For example, in the following policy, both rules assign network access to the finance collection, but one rule specifies VPC access while the other specifies public access. In this situation, public access overrides VPC access only for the finance collection (because it exists in both rules), so the finance collection will be accessible from public networks. The sales collection will have VPC access from the specified endpoint.

[ { "Description":"Rule 1", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/sales", "collection/finance" ] } ], "AllowFromPublic":false, "SourceVPCEs":[ "vpce-050f79086ee71ac05" ] }, { "Description":"Rule 2", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/finance" ] } ], "AllowFromPublic":true } ]

If multiple VPC endpoints from different rules apply to a collection, the rules are additive and the collection will be accessible from all specified endpoints. If you set AllowFromPublic to true but also provide one or more SourceVPCEs or SourceServices, OpenSearch Serverless ignores the VPC endpoints and service identifiers, and the associated collections will have public access.

Creating network policies (console)

Network policies can apply to existing policies as well as future policies. We recommend that you create network policies before you start creating collections.

To create an OpenSearch Serverless network policy
  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home.

  2. On the left navigation panel, expand Serverless and choose Network policies.

  3. Choose Create network policy.

  4. Provide a name and description for the policy.

  5. Provide one or more rules. These rules define access permissions for your OpenSearch Serverless collections and their OpenSearch Dashboards endpoints.

    Each rule contains the following elements:

    Element Description
    Rule name A name that describes the contents of the rule. For example, "VPC access for marketing team".
    Access type Choose either public or private access. Then, select one or both of the following:
    Resource type Select whether to provide access to OpenSearch endpoints (which allows making calls to the OpenSearch API), to OpenSearch Dashboards (which allows access to visualizations and the user interface for OpenSearch plugins), or both.
    Note

    AWS service private access only applies to the collection's OpenSearch endpoint, not to the OpenSearch Dashboards endpoint. Even if you select OpenSearch Dashboards, AWS services can only be granted endpoint access.

    For each resource type that you select, you can choose existing collections to apply the policy settings to, and/or create one or more resource patterns. Resource patterns consist of a prefix and a wildcard (*), and define which collections the policy settings will apply to.

    For example, if you include a pattern called Marketing*, any new or existing collections whose names start with "Marketing" will have the network settings in this policy automatically applied to them. A single wildcard (*) applies the policy to all current and future collections.

    In addition, you can specify the name of a future collection without a wildcard, such as Finance. OpenSearch Serverless will apply the policy settings to any newly created collection with that exact name.

  6. When you're satisfied with your policy configuration, choose Create.

Creating network policies (AWS CLI)

To create a network policy using the OpenSearch Serverless API operations, you specify rules in JSON format. The CreateSecurityPolicy request accepts both inline policies and .json files. All collections and patterns must take the form collection/<collection name|pattern>.

Note

The resource type dashboards only allows permission to OpenSearch Dashboards, but in order for OpenSearch Dashboards to function, you must also allow collection access from the same sources. See the second policy below for an example.

To specify private access, include one or both of the following elements:

  • SourceVPCEs – Specify one or more OpenSearch Serverless–managed VPC endpoints.

  • SourceServices – Specify the identifier of one or more supported AWS services. Currently, the following service identifiers are supported:

    • bedrock.amazonaws.com – Amazon Bedrock

The following sample network policy provides private access, to a VPC endpoint and Amazon Bedrock, to collection endpoints only for collections beginning with the prefix log*. Authenticated users can't sign in to OpenSearch Dashboards; they can only access the collection endpoint programmatically.

[ { "Description":"Private access for log collections", "Rules":[ { "ResourceType":"collection", "Resource":[ "collection/log*" ] } ], "AllowFromPublic":false, "SourceVPCEs":[ "vpce-050f79086ee71ac05" ], "SourceServices":[ "bedrock.amazonaws.com" ], } ]

The following policy provides public access to the OpenSearch endpoint and OpenSearch Dashboards for a single collection named finance. If the collection doesn't exist, the network settings will be applied to the collection if and when it's created.

[ { "Description":"Public access for finance collection", "Rules":[ { "ResourceType":"dashboard", "Resource":[ "collection/finance" ] }, { "ResourceType":"collection", "Resource":[ "collection/finance" ] } ], "AllowFromPublic":true } ]

The following request creates the above network policy:

aws opensearchserverless create-security-policy \ --name sales-inventory \ --type network \ --policy "[{\"Description\":\"Public access for finance collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/finance\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/finance\"]}],\"AllowFromPublic\":true}]"

To provide the policy in a JSON file, use the format --policy file://my-policy.json

Viewing network policies

Before you create a collection, you might want to preview the existing network policies in your account to see which one has a resource pattern that matches your collection's name. The following ListSecurityPolicies request lists all network policies in your account:

aws opensearchserverless list-security-policies --type network

The request returns information about all configured network policies. To view the pattern rules defined in the one specific policy, find the policy information in the contents of the securityPolicySummaries element in the response. Note the name and type of this policy and use these properties in a GetSecurityPolicy request to receive a response with the following policy details:

{ "securityPolicyDetail": [ { "type": "network", "name": "my-policy", "policyVersion": "MTY2MzY5MTY1MDA3Ml8x", "policy": "[{\"Description\":\"My network policy rule\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection/*\"]}],\"AllowFromPublic\":true}]", "createdDate": 1663691650072, "lastModifiedDate": 1663691650072 } ] }

To view detailed information about a specific policy, use the GetSecurityPolicy command.

Updating network policies

When you modify the VPC endpoints or public access designation for a network, all associated collections are impacted. To update a network policy in the OpenSearch Serverless console, expand Network policies, select the policy to modify, and choose Edit. Make your changes and choose Save.

To update a network policy using the OpenSearch Serverless API, use the UpdateSecurityPolicy command. You must include a policy version in the request. You can retrieve the policy version by using the ListSecurityPolicies or GetSecurityPolicy commands. Including the most recent policy version ensures that you don't inadvertently override a change made by someone else.

The following request updates a network policy with a new policy JSON document:

aws opensearchserverless update-security-policy \ --name sales-inventory \ --type network \ --policy-version MTY2MzY5MTY1MDA3Ml8x \ --policy file://my-new-policy.json

Deleting network policies

Before you can delete a network policy, you must detach it from all collections. To delete a policy in the OpenSearch Serverless console, select the policy and choose Delete.

You can also use the DeleteSecurityPolicy command:

aws opensearchserverless delete-security-policy --name my-policy --type network