Amazon OpenSearch Service (es)

2021-07-28

28 new actions, 3 new resources, 3 new conditions | 30 updated actions, 1 updated resource

Additions

    Actions
  • AcceptInboundConnection
    • Description:  Grants permission to the destination domain owner to accept an inbound cross-cluster search connection request
    • Access:  Write
  • CreateDataPrepperPipeline
    • Description:  Grants permission to create a DataPrepper pipeline
    • Access:  Write
    • Resources: 

      Name: pipeline

      Required: No
  • CreateDomain
    • Description:  Grants permission to create an Amazon OpenSearch Service domain
    • Access:  Write
    • Resources: 

      Name: domain

      Required: No
    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys
  • CreateOutboundConnection
    • Description:  Grants permission to create a new cross-cluster search connection from a source domain to a destination domain
    • Access:  Write
    • Resources: 

      Name: domain

      Required: Yes
  • CreateServiceRole
    • Description:  Grants permission to create the service-linked role required for Amazon OpenSearch domains that use VPC access
    • Access:  Write
  • DeleteDataPrepperPipeline
    • Description:  Grants permission to delete a DataPrepperpipeline
    • Access:  Write
    • Resources: 

      Name: pipeline

      Required: Yes
  • DeleteDomain
    • Description:  Grants permission to delete an Amazon OpenSearch domain and all of its data
    • Access:  Write
    • Resources: 

      Name: domain

      Required: Yes
  • DeleteInboundConnection
    • Description:  Grants permission to the destination domain owner to delete an existing inbound cross-cluster search connection
    • Access:  Write
  • DeleteOutboundConnection
    • Description:  Grants permission to the source domain owner to delete an existing outbound cross-cluster search connection
    • Access:  Write
  • DescribeDataPrepperPipeline
    • Description:  Grants permission to view a description of the pipeline configuration for the specified DataPrepper pipeline
    • Access:  Read
    • Resources: 

      Name: pipeline

      Required: Yes
  • DescribeDomain
    • Description:  Grants permission to view a description of the domain configuration for the specified Amazon OpenSearch domain, including the domain ID, domain service endpoint, and domain ARN
    • Access:  Read
    • Resources: 

      Name: domain

      Required: Yes
  • DescribeDomainConfig
    • Description:  Grants permission to view a description of the configuration options and status of an Amazon OpenSearch domain
    • Access:  Read
    • Resources: 

      Name: domain

      Required: Yes
  • DescribeDomains
    • Description:  Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domain
    • Access:  List
    • Resources: 

      Name: domain

      Required: Yes
  • DescribeInboundConnections
    • Description:  Grants permission to list all the inbound cross-cluster search connections for a destination domain
    • Access:  List
  • DescribeInstanceTypeLimits
    • Description:  Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type
    • Access:  List
  • DescribeOutboundConnections
    • Description:  Grants permission to list all the outbound cross-cluster search connections for a source domain
    • Access:  List
  • DescribeReservedInstanceOfferings
    • Description:  Grants permission to fetch reserved instance offerings for OpenSearch
    • Access:  List
  • DescribeReservedInstances
    • Description:  Grants permission to fetch OpenSearch reserved instances already purchased by customer
    • Access:  List
  • GetCompatibleVersions
    • Description:  Grants permission to fetch list of compatible OpenSearch versions to which Amazon OpenSearch domain can be upgraded
    • Access:  List
    • Resources: 

      Name: domain

      Required: Yes
  • IngestDataPrepperPipeline
    • Description:  Grants permission to ingest data into a DataPrepper pipeline
    • Access:  Write
    • Resources: 

      Name: pipeline

      Required: No
  • ListDataPrepperPipelines
    • Description:  Grants permission to display the names of all DataPrepper pipelines that the current user owns
    • Access:  List
  • ListInstanceTypeDetails
    • Description:  Grants permission to list all instance types and available features for a given OpenSearch version
    • Access:  List
  • ListInstanceTypes
    • Description:  Grants permission to list all OpenSearch instance types that are supported for a given OpenSearch version
    • Access:  List
  • ListVersions
    • Description:  Grants permission to list all supported OpenSearch versions on Amazon OpenSearch
    • Access:  List
  • PurchaseReservedInstanceOffering
    • Description:  Grants permission to purchase OpenSearch reserved instances
    • Access:  Write
  • RejectInboundConnection
    • Description:  Grants permission to the destination domain owner to reject an inbound cross-cluster search connection request
    • Access:  Write
  • UpdateDataPrepperPipeline
    • Description:  Grants permission to modify the configuration of a DataPrepper pipeline (currently limited to updating desired capacity)
    • Access:  Write
    • Resources: 

      Name: pipeline

      Required: Yes
  • UpdateDomainConfig
    • Description:  Grants permission to modify the configuration of an Amazon OpenSearch domain, such as the instance type or number of instances
    • Access:  Write
    • Resources: 

      Name: domain

      Required: Yes
    Resources
  • pipeline
    • Arn:  arn:${Partition}:es:${Region}:${Account}:pipeline/${PipelineName}
    • Conditions: 

      aws:ResourceTag/${TagKey}
  • es_role
    • Arn:  arn:${Partition}:iam::${Account}:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonElasticsearchService
    • Conditions: 

      aws:ResourceTag/${TagKey}
  • opensearchservice_role
    • Arn:  arn:${Partition}:iam::${Account}:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchInternalService
    • Conditions: 

      aws:ResourceTag/${TagKey}
    Conditions
  • aws:RequestTag/${TagKey}
    • Description:  Filters access based on the tags that are passed in the request
    • Type:  String
  • aws:ResourceTag/${TagKey}
    • Description:  Filters access based on the tags associated with the resource
    • Type:  String
  • aws:TagKeys
    • Description:  Filters access based on the tag keys that are passed in the request
    • Type:  String

Updates

    Actions
  • AddTags
      Description
    • Old: Grants permission to attach resource tags to an Amazon ES domain.
      New: Grants permission to attach resource tags to an Amazon OpenSearch domain
      Conditions
    • + aws:RequestTag/${TagKey}
    • + aws:TagKeys
  • CreateElasticsearchDomain
      Description
    • Old: Grants permission to create an Amazon ES domain.
      New: Grants permission to create an Amazon OpenSearch domain
      Conditions
    • + aws:RequestTag/${TagKey}
    • + aws:TagKeys
  • CreateElasticsearchServiceRole
      Description
    • Old: Grants permission to create the service-linked role required for Amazon ES domains that use VPC access.
      New: Grants permission to create the service-linked role required for Amazon OpenSearch domains that use VPC access
  • DeleteElasticsearchDomain
      Description
    • Old: Grants permission to delete an Amazon ES domain and all of its data.
      New: Grants permission to delete an Amazon OpenSearch domain and all of its data
  • DeleteElasticsearchServiceRole
      Description
    • Old: Grants permission to delete the service-linked role required for Amazon ES domains that use VPC access.
      New: Grants permission to delete the service-linked role required for Amazon OpenSearch domains that use VPC access
  • DeletePackage
      Description
    • Old: Grants permission to delete a package from Amazon ES. The package must not be associated with any Amazon ES domain.
      New: Grants permission to delete a package from Amazon ES. The package must not be associated with any Amazon ES domain
  • DescribeElasticsearchDomain
      Description
    • Old: Grants permission to view a description of the domain configuration for the specified Amazon ES domain, including the domain ID, domain service endpoint, and domain ARN.
      New: Grants permission to view a description of the domain configuration for the specified Amazon OpenSearch domain, including the domain ID, domain service endpoint, and domain ARN
  • DescribeElasticsearchDomainConfig
      Description
    • Old: Grants permission to view a description of the configuration options and status of an Amazon ES domain.
      New: Grants permission to view a description of the configuration options and status of an Amazon OpenSearch domain
  • DescribeElasticsearchDomains
      Description
    • Old: Grants permission to view a description of the domain configuration for up to five specified Amazon ES domains.
      New: Grants permission to view a description of the domain configuration for up to five specified Amazon OpenSearch domains
  • DescribeElasticsearchInstanceTypeLimits
      Description
    • Old: Grants permission to view the instance count, storage, and master node limits for a given Elasticsearch version and instance type.
      New: Grants permission to view the instance count, storage, and master node limits for a given OpenSearch version and instance type
  • DescribeReservedElasticsearchInstanceOfferings
      Description
    • Old: Grants permission to fetch reserved instance offerings for ES
      New: Grants permission to fetch reserved instance offerings for OpenSearch
  • DescribeReservedElasticsearchInstances
      Description
    • Old: Grants permission to fetch ES reserved instances already purchased by customer
      New: Grants permission to fetch OpenSearch reserved instances already purchased by customer
  • ESCrossClusterGet
      Description
    • Old: Grants permission to send cross-cluster requests to a destination domain.
      New: Grants permission to send cross-cluster requests to a destination domain
  • ESHttpDelete
      Description
    • Old: Grants permission to send HTTP DELETE requests to the Elasticsearch APIs.
      New: Grants permission to send HTTP DELETE requests to the OpenSearch APIs
  • ESHttpGet
      Description
    • Old: Grants permission to send HTTP GET requests to the Elasticsearch APIs.
      New: Grants permission to send HTTP GET requests to the OpenSearch APIs
  • ESHttpHead
      Description
    • Old: Grants permission to send HTTP HEAD requests to the Elasticsearch APIs.
      New: Grants permission to send HTTP HEAD requests to the OpenSearch APIs
  • ESHttpPatch
      Description
    • Old: Grants permission to send HTTP PATCH requests to the Elasticsearch APIs.
      New: Grants permission to send HTTP PATCH requests to the OpenSearch APIs
  • ESHttpPost
      Description
    • Old: Grants permission to send HTTP POST requests to the Elasticsearch APIs.
      New: Grants permission to send HTTP POST requests to the OpenSearch APIs
  • ESHttpPut
      Description
    • Old: Grants permission to send HTTP PUT requests to the Elasticsearch APIs.
      New: Grants permission to send HTTP PUT requests to the OpenSearch APIs
  • GetCompatibleElasticsearchVersions
      Description
    • Old: Grants permission to fetch list of compatible elastic search versions to which Amazon ES domain can be upgraded
      New: Grants permission to fetch list of compatible elastic search versions to which Amazon OpenSearch domain can be upgraded
  • GetUpgradeHistory
      Description
    • Old: Grants permission to fetch upgrade history for given ES domain
      New: Grants permission to fetch upgrade history for given OpenSearch domain
  • GetUpgradeStatus
      Description
    • Old: Grants permission to fetch upgrade status for given ES domain
      New: Grants permission to fetch upgrade status for given OpenSearch domain
  • ListDomainNames
      Description
    • Old: Grants permission to display the names of all Amazon ES domains that the current user owns.
      New: Grants permission to display the names of all Amazon OpenSearch domains that the current user owns
  • ListElasticsearchInstanceTypeDetails
      Description
    • Old: Grants permission to list all instance types and available features for a given Elasticsearch version.
      New: Grants permission to list all instance types and available features for a given OpenSearch version
  • ListElasticsearchInstanceTypes
      Description
    • Old: Grants permission to list all Elasticsearch instance types that are supported for a given Elasticsearch version.
      New: Grants permission to list all OpenSearch instance types that are supported for a given OpenSearch version
  • ListElasticsearchVersions
      Description
    • Old: Grants permission to list all supported Elasticsearch versions on Amazon ES.
      New: Grants permission to list all supported OpenSearch versions on Amazon OpenSearch
  • ListTags
      Description
    • Old: Grants permission to display all of the tags for an Amazon ES domain.
      New: Grants permission to display all of the tags for an Amazon OpenSearch domain
  • PurchaseReservedElasticsearchInstanceOffering
      Description
    • Old: Grants permission to purchase ES reserved instances
      New: Grants permission to purchase OpenSearch reserved instances
  • RemoveTags
      Description
    • Old: Grants permission to remove tags from Amazon ES domains.
      New: Grants permission to remove tags from Amazon OpenSearch domains
      Conditions
    • + aws:TagKeys
  • UpdateElasticsearchDomainConfig
      Description
    • Old: Grants permission to modify the configuration of an Amazon ES domain, such as the instance type or number of instances.
      New: Grants permission to modify the configuration of an Amazon OpenSearch domain, such as the instance type or number of instances
    Resources
  • domain
      Conditions
    • + aws:ResourceTag/${TagKey}