Create the encryption policy Create the network policy Create the data access policy

Step 1: Create the Serverless security policies

Create the collection’s security policies before you create the collection. A collection that comes up without a matching encryption policy fails, and without network and data access policies the migration cannot write to it. Create them in this order: encryption, network, then the data access policy.

Create the encryption policy

The encryption policy selects the AWS Key Management Service (AWS KMS) key that protects the collection’s data at rest. The following example uses an AWS owned key (AWSOwnedKey: true) and matches a single collection named vector-search:


aws opensearchserverless create-security-policy \
  --name vector-search-encryption \
  --type encryption \
  --policy '{
    "Rules": [
      { "ResourceType": "collection", "Resource": ["collection/vector-search"] }
    ],
    "AWSOwnedKey": true
  }'

Create the network policy

The network policy controls whether the collection endpoint (and its OpenSearch Dashboards endpoint) is reachable from public networks or only from OpenSearch Serverless-managed VPC endpoints. Choose the access pattern that matches how the Amazon EKS cluster reaches the collection.

For a collection reachable over public networks:


aws opensearchserverless create-security-policy \
  --name vector-search-network \
  --type network \
  --policy '[
    {
      "Description": "Public access for vector-search collection",
      "Rules": [
        { "ResourceType": "collection", "Resource": ["collection/vector-search"] },
        { "ResourceType": "dashboard",  "Resource": ["collection/vector-search"] }
      ],
      "AllowFromPublic": true
    }
  ]'

For private (VPC-only) access, set "AllowFromPublic": false and list your OpenSearch Serverless-managed VPC endpoints in a SourceVPCEs array. The Amazon EKS cluster must be able to reach one of those endpoints.

Note

Even with public network access, the data access policy still controls which IAM principals can read or write data. Network access only determines which networks can reach the endpoint.

Create the data access policy

The data access policy grants the migration IAM role the collection- and index-level permissions it needs to create indexes and bulk-index documents. The principal is the migration role created by the Amazon EKS deployment, named <eks-cluster-name>-migrations-role.


aws opensearchserverless create-access-policy \
  --name vector-search-data \
  --type data \
  --policy '[
    {
      "Description": "Migration write access for vector-search",
      "Rules": [
        {
          "ResourceType": "collection",
          "Resource": ["collection/vector-search"],
          "Permission": ["aoss:CreateCollectionItems", "aoss:DescribeCollectionItems"]
        },
        {
          "ResourceType": "index",
          "Resource": ["index/vector-search/*"],
          "Permission": ["aoss:CreateIndex", "aoss:UpdateIndex", "aoss:DescribeIndex", "aoss:WriteDocument", "aoss:ReadDocument"]
        }
      ],
      "Principal": ["arn:aws:iam::<ACCOUNT_ID>:role/<eks-cluster-name>-migrations-role"]
    }
  ]'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Prerequisites

Step 2: Create the collection