Security - Text Analysis with Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) and Amazon Comprehend

Security

When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. For more information about security on AWS, visit the AWS Security Center.

Access control

Customers who have a restricted network connection requirement can set the EnableVPC AWS CloudFormation template parameter to true. This allows customers to enable and configure the Amazon Virtual Private Cloud (Amazon VPC) for AWS Lambda and the Amazon OpenSearch Service cluster to secure the network.

By default, the solution allows everyone to call the proxy Amazon API Gateway without signing the request. This allows you to quickly interact with the proxy API by using curl or other HTTP libraries. You can control access to the proxy API by setting APIGatewayAuthorizationType template parameter to AWS_IAM. This ensures callers sign the HTTP request with credentials of an IAM user or role who has permissions to invoke the proxy API.

The solution also creates a managed policy with minimal permissions and provides an example IAM role with an attached policy to help customers create AWS Identity and Access Management (IAM) users and roles. These users and roles have limited permissions to invoke the proxy endpoint. You can find the managed policy and example IAM role in the stack Outputs tab with key name of ProxyAccessPolicyArn and ExampleProxyAccessRoleArn.

For an example of signing the HTTP Request to Proxy Service, refer to Signing the HTTP requests to proxy service.