Temporarily Accessing Private OpenSearch Index

1 Introduction
2 Identify the Dashboard Endpoint (Collection)
3 Modify Network Policy
4 Modify Data access
5 Access Dashboard
6 Revert Back to Original Settings

Introduction

Our current OpenSearch deployment is hosted in a private VPC and is not directly accessible over the internet. For debugging, testing, or analytics purposes, there might be a temporary need to access the OpenSearch Dashboard from outside the VPC.

This document outlines the steps required to make the OpenSearch Dashboard temporarily accessible by modifying its access settings. Please note that this should only be done in controlled and time-bound scenarios with appropriate monitoring.

Identify the Dashboard Endpoint (Collection)

For each release, a new OpenSearch collection is created following the naming pattern ”Instance-StackNumber-synsearch”. To grant temporary access to the OpenSearch dashboard, log in to the AWS OpenSearch Console and locate the specific collection for which access is needed.

Screen Shot 2025-07-28 at 2.55.32 PM.png

Modify Network Policy

Once the collection is selected, click on the Manage network access. From the list of network policies, choose the policy name which is the same as collection name. For example prod-553-synsearch.

Screen Shot 2025-07-28 at 2.56.23 PM.png

Screen Shot 2025-07-28 at 2.57.13 PM.png

Click on Edit to edit the network policy.

Screen Shot 2025-07-28 at 2.59.39 PM.png

You will notice that the access policy is set to Private and VPC endpoint is configured (Make a note of this VPC endpoint, as you’ll need to revert the changes once the task is complete). To allow temporary access, change the Access type to Public, enable access to OpenSearch Dashboards, select the appropriate collection name, and click Update.

Screen Shot 2025-07-28 at 3.09.48 PM.png

Modify Data access

For the selected collection, update the data access policy to allow the user to access the OpenSearch Dashboard. To do this, click on Manage data access.

Screen Shot 2025-07-28 at 3.19.15 PM.png

From the list of data access policies, choose the policy name which is same as the collection name. For example prod-553-synsearch.

Screen Shot 2025-07-28 at 3.20.55 PM.png

Click on Edit button.

Screen Shot 2025-07-28 at 3.21.53 PM.png

you will notice that in “Select Principal” there is already a shared stack principal added. Add a new principal to whom you want to grant access. Click on Add principals button add choose “IAM users and roles”.

Screen Shot 2025-07-28 at 3.28.07 PM.png

It will ask you to select IAM user. Add the ARN of Role to which you want to give access. In this example I am giving access to Developer role so I am adding ARN of Developer Role. Click on “Save” button to save the changes.

Screen Shot 2025-07-28 at 3.34.51 PM.png

Access Dashboard

We have changed the network policy to public and added the user who can access the dashboard. Go to the Collection and click on “OpenSearch Dashboards URL” . It will Open the dashboard.

Screen Shot 2025-07-28 at 3.40.21 PM.png

Click on Dev tools to execute search. I tried a query with Term “cancer related” and it gave me “10000” results”

Screen Shot 2025-07-28 at 3.43.18 PM.png

Revert Back to Original Settings

It is important to revert the OpenSearch collection access back to Private and remove any temporary access permissions (principals) once the task is completed, as leaving the endpoint public is security risk and could lead to accidental modifications.