Amazon OpenSearch Service now supports Fine Grained Access Control (FGAC) for OpenSearch UI when accessed through SAML via IAM federated. OpenSearch UI is the unified interface for observability and security analytics on Amazon OpenSearch Service. SAML via IAM federated is a popular choice to enable Identity Provider (IdP) initiated Single Sign-On experience for accessing OpenSearch UI. FGAC enables you to define precise data access control based on user attributes provided from your IdP during SAML authentication and authorization. This level of dynamic and granular access control is crucial for multi-tenant deployments and meeting data governance requirement in regulated industries.
With FGAC support, you can now configure attribute mappings from IdP user roles and attributes to OpenSearch backend roles. These roles can be scoped to specific OpenSearch domains and serverless collections, allowing you to define index-level permissions and document-level security for more granular data access controls. You can easily manage users and groups within your existing IdP, and OpenSearch data source permissions are automatically applied based on the user’s SAML assertion, reducing administrative friction. Furthermore, audit trails become clearer as user actions are tied not just to IAM roles but to SAML attributes, simplifying data governance.
FGAC is an optional feature for SAML via IAM federated. It is available in all regions that OpenSearch UI is available. Learn more at: OpenSearch UI dev guide.
Source:: Amazon AWS