This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::OpenSearchServerless::AccessPolicy Creates a data access policy for OpenSearch Serverless. Access policies limit access to collections and the resources within them, and allow a user to access that data irrespective of the access mechanism or network source. For more information, see [Data access control for Amazon OpenSearch Serverless](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html). ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::OpenSearchServerless::AccessPolicy", "Properties" : { "[Description](#cfn-opensearchserverless-accesspolicy-description)" : String, "[Name](#cfn-opensearchserverless-accesspolicy-name)" : String, "[Policy](#cfn-opensearchserverless-accesspolicy-policy)" : String, "[Type](#cfn-opensearchserverless-accesspolicy-type)" : String } } ``` ### YAML ``` Type: AWS::OpenSearchServerless::AccessPolicy Properties: [Description](#cfn-opensearchserverless-accesspolicy-description): String [Name](#cfn-opensearchserverless-accesspolicy-name): String [Policy](#cfn-opensearchserverless-accesspolicy-policy): String [Type](#cfn-opensearchserverless-accesspolicy-type): String ``` ## Properties `Description` The description of the policy. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the policy. *Required*: Yes *Type*: String *Pattern*: `^[a-z][a-z0-9-]{2,31}$` *Minimum*: `3` *Maximum*: `32` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Policy` The JSON policy document without any whitespaces. *Required*: Yes *Type*: String *Pattern*: `[\u0009\u000A\u000D\u0020-\u007E\u00A1-\u00FF]+` *Minimum*: `1` *Maximum*: `20480` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` The type of access policy. Currently the only option is `data`. *Required*: Yes *Type*: String *Allowed values*: `data` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the name of the access policy. For more information about using the `Ref` function, see [Ref](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html). ## Examples ### Create an access policy that allows access to all collections and indexes The following example specifies an OpenSearch Serverless access policy that provides full access to the resources within `my-collection` to the user `test-user`. For a complete sample policy that creates network, encryption, and access policies, as well as a matching collection, see [Using AWS CloudFormation to create Amazon OpenSearch Serverless collections](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-cfn.html) in the *Amazon OpenSearch Service Developer Guide.* #### JSON ``` { "Description":"OpenSearch Serverless access policy template", "Resources":{ "TestAccessPolicy":{ "Type":"AWS::OpenSearchServerless::AccessPolicy", "Properties":{ "Name":"test-access-policy", "Type":"data", "Description":"Access policy for my-collection", "Policy":{ "Fn::Sub":"[{\"Description\":\"Access for test-user\",\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index/*/*\"],\"Permission\":[\"aoss:*\"]}, {\"ResourceType\":\"collection\",\"Resource\":[\"collection/my-collection\"],\"Permission\":[\"aoss:*\"]}], \"Principal\":[\"arn:aws:iam::${AWS::AccountId}:user/test-user\"]}]" } } ``` #### YAML ``` Description: 'OpenSearch Serverless access policy template' Resources: TestAccessPolicy: Type: 'AWS::OpenSearchServerless::AccessPolicy' Properties: Name: test-access-policy Type: data Description: Access policy for my-collection Policy: !Sub >- [{"Description":"Access for test-user","Rules":[{"ResourceType":"index","Resource":["index/*/*"],"Permission":["aoss:*"]}, {"ResourceType":"collection","Resource":["collection/my-collection"],"Permission":["aoss:*"]}], "Principal":["arn:aws:iam::${AWS::AccountId}:user/test-user"]}] ```