Centralized OpenSearch user interface (Dashboards) with Amazon OpenSearch Service
OpenSearch user interface is the modernized operational analytics experience for Amazon OpenSearch Service. In comparison to the existing OpenSearch Dashboards that is hosted in individual domains or collections and supports only one data source, OpenSearch user interface is created as a web-based application and runs in the AWS cloud, so that it can be associated with data sources across multiple managed clusters, serverless collections, and connected AWS data sources such as Amazon S3. With OpenSearch user interface, you can gain a comprehensive insights across your data in a unified interface. If you are looking for documentation on OpenSearch Dashboards which are co-located with each managed cluster or collection, see Dashboards (co-located with cluster).
OpenSearch user interface introduces the concept of workspaces. A workspace is a tailored experience for common use cases such as observability and security analytics. You can create one workspace for each of your use cases or teams, and manage collaborators and data sources associated with each workspace, so that you can easily manage the access control and collaboration across your teams. In OpenSearch user interface, Discover provides a unified log exploration experience supporting popular languages like SQL and Piped-Processing-Language (PPL), in addition to offering existing support for DQL and Lucene.
To use OpenSearch user interface, you can create an OpenSearch UI application from the AWS Management Console or via the AWS Command Line Interface (CLI). You can find the list of your created OpenSearch applications under your Amazon OpenSearch Service console, Central Management section. Each OpenSearch application has its own endpoint URL and Amazon Resource Name (ARN). You can use the endpoint URL to open the OpenSearch application, and easily share it to your colleagues for collaboration. You can configure each OpenSearch application to support login with AWS Identity and Access Management Identity and Access Management (IAM) credentials and/or IAM Identity Center (IdC), and manage the user and group permissions to the application.
Note
OpenSearch user interface (Dashboards) application does support use of IdC applications created in a different region. To use IdC, create OpenSearch application in the same region as your IdC application instance.
Creating an OpenSearch application
To create an OpenSearch Application in the console, do the following:
-
Open the AWS Management Console and go to the Amazon OpenSearch Service homepage.
-
In the left navigation window, find the OpenSearch user interface (Dashboards) tab
-
Select
Create Application
To create an OpenSearch Application in the AWS Command Line Interface do the following:
aws opensearch create-application \ --name myapplication aws opensearch create-application \ --name myapplication \ --iam-identity-center-options " { \"enabled\":true, \"iamIdentityCenterInstanceArn\":\"arn:aws:sso:::instance/ssoins-xxxxxxxxx\", \"iamRoleForIdentityCenterApplicationArn\":\"arn:aws:iam::555555555555:role/xxxxxxxx\" } "
Controlling access to an OpenSearch Application
OpenSearch user interface supports both AWS Identity and Access Management (IAM) and IAM Identity Center (IdC) for login. When creating an OpenSearch application, the default options is to use IAM and you can manage permissions to the OpenSearch application by IAM users. Optionally, you can opt to use IdC that links to your existing identity providers, for user login to the OpenSearch application. To enable IdC, click on the checkbox for “Authenticate with IAM Identity Center" in the OpenSearch application creation workflow, and then grant IdC users the permission to access the OpenSearch application.
You can also configure IAM and IdC configurations through the AWS Command Line Interface. See the following example:
aws opensearch create-application \ --name myapplication aws opensearch create-application \ --name myapplication \ --iam-identity-center-options " { \"enabled\":true, \"iamIdentityCenterInstanceArn\":\"arn:aws:sso:::instance/ssoins-xxxxxxxxx\", \"iamRoleForIdentityCenterApplicationArn\":\"arn:aws:iam::555555555555:role/xxxxxxxx\" } "
You will also need to specify the following trust policy for their IAM role using iamRoleForIdentityCenterApplication:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "application.opensearchservice.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ], "Condition": { "ForAllValues:ArnEquals": { "sts:RequestContextProviders": "arn:aws:iam::aws:contextProvider/IdentityCenter" } } } ] }
You will need to define the following permissions policies for the role as well:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IdentityStoreOpenSearchDomainConnectivity", "Effect": "Allow", "Action": [ "identitystore:DescribeUser", "identitystore:ListGroupMembershipsForMember", "identitystore:DescribeGroup" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledViaLast": "es.amazonaws.com" } } }, { "Sid": "OpenSearchDomain", "Effect": "Allow", "Action": [ "es:ESHttp*" ], "Resource": "*" }, { "Sid": "OpenSearchServerless", // if need to access OpenSearch serverless collections "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": "*" } ] }
In addition to enabling IdC in OpenSearch, you'll need to specify the following Trust
policy for your IAM role using the iamRoleForIdentityCenterApplication
parameter:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "application.opensearchservice.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ], "Condition": { "ForAllValues:ArnEquals": { "sts:RequestContextProviders": "arn:aws:iam::aws:contextProvider/IdentityCenter" } } } ] }
Define OpenSearch Application admin
OpenSearch application admin is the defined role with permission to edit and delete an OpenSearch application. As the creator of an OpenSearch, you will by default become the first admin of the OpenSearch application. Additional admins can be added to the OpenSearch application in the AWS Management Console, either during the application creation workflow or in the “edit application” page, by searching for the ARN of IAM principals or the name of IdC users in the OpenSearch application admins management search bar. Extra admins can be removed but there must be at least one admin for an OpenSearch application.
OpenSearch application admin management can also be done through the AWS Command Line Interface. Here are the examples of how to add IAM principals and IdC users as admin while creating an OpenSearch application.
aws opensearch create-application \ --name myapplication \ --app-configs " { \"key\":\"opensearchDashboards.dashboardAdmin.users\", \"value\":\"arn:aws:iam::555555555555:user/xxxxxxxx\" } " aws opensearch create-application \ --name myapplication \ --iam-identity-center-options " { \"enabled\":true, \"iamIdentityCenterInstanceArn\":\"arn:aws:sso:::instance/ssoins-xxxxxxxxx\", \"iamRoleForIdentityCenterApplicationArn\":\"arn:aws:iam::555555555555:role/xxxxxxxx\" } " \ --app-configs " { \"key\":\"opensearchDashboards.dashboardAdmin.users\", \"value\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" } "
Here are the examples of how to update IAM principals and IdC users as admin to an existing OpenSearch application.
aws opensearch update-application \ --id myapplication \ --app-configs " { \"key\":\"opensearchDashboards.dashboardAdmin.users\", \"value\":\"arn:aws:iam::555555555555:user/xxxxxxxx\" } " aws opensearch update-application \ --id myapplication \ --app-configs " { \"key\":\"opensearchDashboards.dashboardAdmin.users\", \"value\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\" } "
Associate data sources with an OpenSearch application
An OpenSearch application can work with multiple data sources, including OpenSearch Service managed domains and serverless collections, as well as integrated data sources such as Amazon S3.
To associate data sources to an AWS application, click on associate resources button under the “Associated data sources” table, and follow the instructions.
Alternatively, you can use the AWS Command Line Interface to call an OpenSearch Application and update the associated data sources.
aws opensearch-es create-application \ --name myapplication \ --data-sources "[{\"dataSourceArn\": \"arn:aws:es:us-east-1:555555555555:domain/xxxxxxxx\"}]" aws opensearch update-application \ --id myapplication \ --data-sources "[{\"dataSourceArn\": \"arn:aws:es:us-east-1:555555555555:domain/xxxxxxxx\"}]"
Associate with OpenSearch domains in VPC
To associate a domain within a VPC as a data source to an OpenSearch user interface Dashboards application, you need the owner of the VPC to authorize the access on the domain side.
To authorize a VPC domain from the AWS Management Console:
-
Go to your OpenSearch Service console homepage.
-
Select Domains on the left navigation bar, and open the specific domain in vpc.
-
Under VPC endpoints, select Authorize principal, and then Authorized principals from other AWS. Select OpenSearch applications (Dashboard) from the drop down list
To authorize VPC domain access from the AWS Command Line Interface, you can use the
authorize-vpc-endpoint-access command
aws opensearch authorize-vpc-endpoint-access \ --domain-name<domain-name>\ --service application.opensearchservice.amazonaws.com \ --region<region>
Associate with OpenSearch Serverless collections in VPC
To associate an OpenSearch Serverless collections within a VPC as a data source to OpenSearch user interface Dashboards applications, you need the owner of the VPC to specifically authorize the access by creating a new network policy and attaching it to the collection.
To create or update a new network policy to make a collection in VPC work with an OpenSearch application from the AWS Management Console:
-
Navigate to your OpenSearch Service console homepage, and select Network policies under Serverless.
-
Select on Create network policy or select an existing policy and select Edit.
-
On the configuration page, navigate to the Access type section.
Select Private (recommended), and then select AWS service private access.
From the search bar, select
application.opensearchservice.amazonaws.com.-
Select the box for Enable access to OpenSearch endpoint under the resource type section.
-
In the search bar for collection name, enter or select the name of the collections that you want to attach with this network policy.
-
Create or save the settings for the network policy.
To create or update a new network policy to make a collection in VPC work with an OpenSearch application from the AWS Command Line Interface, you can use the following examples:
% aws opensearchserverless create-security-policy \ --type network \ --region $region \ --endpoint-url=$endpoint \ --name allow-public-service \ --policy file:/<path_to_network_policy_json_file> { "securityPolicyDetail": { "createdDate": ******, "lastModifiedDate": ******, "name": "<network_policy_name>", "policy": [ { "SourceVPCEs": [], "AllowFromPublic": false, "Description": "Test network policy statement", "Rules": [ { "Resource": [ "collection/<network_policy_name>" ], "ResourceType": "collection" } ], "SourceServices": [ "application.opensearchservice.amazonaws.com" ] } ], "policyVersion": "******", "type": "network" } }
Alternatively, you can update an existing network policy:
% aws opensearchserverless update-security-policy \ --type network \ --region $region \ --endpoint-url=$endpoint \ --name allow1-service \ --policy-version "<policy_version_from_output_of_network_policy_creation>" \ --policy file:/<path_to_network_policy_json_file> { "securityPolicyDetail": { "createdDate": ******, "lastModifiedDate": ******, "name": "<network_policy_name>", "policy": [ { "SourceVPCEs": [], "AllowFromPublic": false, "Description": "Test network policy statement", "Rules": [ { "Resource": [ "collection/<network_policy_name>" ], "ResourceType": "collection" } ], "SourceServices": [ "application.opensearchservice.amazonaws.com" ] } ], "policyVersion": "******", "type": "network" } }
Network policy JSON file example:
[{ "Description" : "Test network policy statement", "Rules": [{ "ResourceType" : "collection", "Resource" : ["collection/<collection_name>"] }], "SourceServices" : [ "application.opensearchservice.amazonaws.com" ], "AllowFromPublic" : false }]
When the association is no longer needed, the VPC domain owner can revoke the access using the following steps:
Go to OpenSearch Service console homepage.
Select Domains on the left navigation bar, and open the specific domain in VPC.
Under VPC endpoints, select AWS Service- OpenSearch Service applications (Dashboard) from the Authorized principals list and choose Revoke access.
Creating workspaces in an OpenSearch application
Once an OpenSearch application is created with an associated data sources and user permissions, the next step is to launch the OpenSearch application to create workspaces. To do this, you can select the Launch application button or use the OpenSearch application URL to open the OpenSearch application homepage in a new webpage. The OpenSearch application will list all the existing workspaces in the homepage, categorized by use case.
To associate data sources to an AWS application, click on associate resources button under the “Associate data sources” table, and follow the instructions.
There are five workspace types currently available in OpenSearch Service, each with different features available for the specific use case.
The Observability workspace is designed for gaining visibility into system health, performance, and reliability through monitoring of logs, metrics and traces. Observability workspace supports
The Security Analytics workspace is designed for detecting and investigating potential security threats and vulnerabilities across your systems and data.
-
The Search workspace is designed for quickly finding and exploring relevant information across your organization's data sources.
The Essentials workspace is designed for OpenSearch Serverless as a data source, and enables analyzing data to derive insights, identify patterns and trends, and make data driven decisions.quickly finding and exploring relevant information across your organization's data sources.
The Analytics (all features) workspace is designed for multi-purpose use cases and supports all the features available in OpenSearch Service UI (Dashboards).
