Skip to content
Alchemy
GitHubXDiscord

SecurityPolicy

The SecurityPolicy resource lets you manage AWS OpenSearchServerless SecurityPolicys for controlling access to your OpenSearch resources.

Minimal Example

Section titled “Minimal Example”

Create a basic security policy with the required properties and a description.

import AWS from "alchemy/aws/control";


const securityPolicy = await AWS.OpenSearchServerless.SecurityPolicy("basicSecurityPolicy", {
  Name: "MyBasicSecurityPolicy",
  Policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "es:*",
        Resource: "*"
      }
    ]
  }),
  Type: "ALLOW",
  Description: "A basic security policy allowing all actions on all resources."
});

Advanced Configuration

Section titled “Advanced Configuration”

Define a more complex security policy with specific actions and resources.

const advancedSecurityPolicy = await AWS.OpenSearchServerless.SecurityPolicy("advancedSecurityPolicy", {
  Name: "MyAdvancedSecurityPolicy",
  Policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: [
          "es:ESHttpPut",
          "es:ESHttpPost"
        ],
        Resource: "arn:aws:es:us-west-2:123456789012:domain/MyDomain/*"
      },
      {
        Effect: "Deny",
        Action: "es:*",
        Resource: "arn:aws:es:us-west-2:123456789012:domain/MyDomain/sensitive-data/*"
      }
    ]
  }),
  Type: "ALLOW",
  Description: "An advanced security policy allowing specific actions and denying access to sensitive data."
});

Adoption of Existing Policy

Section titled “Adoption of Existing Policy”

If you want to adopt an existing security policy instead of failing when it already exists, set the adopt property to true.

const existingPolicy = await AWS.OpenSearchServerless.SecurityPolicy("adoptExistingPolicy", {
  Name: "MyExistingSecurityPolicy",
  Policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "es:*",
        Resource: "*"
      }
    ]
  }),
  Type: "ALLOW",
  adopt: true, // Adopt existing resource if it exists
  Description: "This policy will be adopted if it already exists."
});

Policy for a Specific IP Range

Section titled “Policy for a Specific IP Range”

Create a security policy that restricts access to a specific IP range.

const ipRestrictedPolicy = await AWS.OpenSearchServerless.SecurityPolicy("ipRestrictedPolicy", {
  Name: "MyIPRestrictedPolicy",
  Policy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "es:*",
        Resource: "*",
        Condition: {
          IpAddress: {
            "aws:SourceIp": "192.168.1.0/24"
          }
        }
      }
    ]
  }),
  Type: "ALLOW",
  Description: "A security policy that restricts access to a specific IP range."
});