# Tutorial: Getting started with security in Amazon OpenSearch Serverless (console)
<a name="gsg-serverless"></a>

In this tutorial, you create and manage security policies using the Amazon OpenSearch Serverless console.

You complete the following steps in this tutorial:

1. [Configure permissions](#gsgpermissions)

1. [Create an encryption policy](#gsg-encryption)

1. [Create a network policy](#gsg-network)

1. [Configure a data access policy](#gsg-data-access)

1. [Create a collection](#gsgcreate-collection)

1. [Upload and search data](#gsgindex-collection)

This tutorial shows you how to set up a collection using the AWS Management Console. For the same steps using the AWS CLI, see [Tutorial: Getting started with security in Amazon OpenSearch Serverless (CLI)](gsg-serverless-cli.md).

## Step 1: Configure permissions
<a name="gsgpermissions"></a>

**Note**  
You can skip this step if you're already using a more broad identity-based policy, such as `Action":"aoss:*"` or `Action":"*"`. In production environments, however, follow the principle of least privilege and only assign the minimum permissions necessary to complete a task.

To complete this tutorial, you must have the correct IAM permissions. Your user or role must have an attached [identity-based policy](security-iam-serverless.md#security-iam-serverless-id-based-policies) with the following minimum permissions:

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Action": [
        "aoss:ListCollections",
        "aoss:BatchGetCollection",
        "aoss:CreateCollection",
        "aoss:CreateSecurityPolicy",
        "aoss:GetSecurityPolicy",
        "aoss:ListSecurityPolicies",
        "aoss:CreateAccessPolicy",
        "aoss:GetAccessPolicy",
        "aoss:ListAccessPolicies"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
```

------

For a full list of OpenSearch Serverless permissions, see [Identity and Access Management for Amazon OpenSearch Serverless](security-iam-serverless.md).

## Step 2: Create an encryption policy
<a name="gsg-encryption"></a>

[Encryption policies](serverless-encryption.md) specify the AWS KMS key that OpenSearch Serverless uses to encrypt the collection. You can encrypt collections with an AWS managed key or a different key. For simplicity in this tutorial, you encrypt your collection with an AWS managed key.

**To create an encryption policy**

1. Open the Amazon OpenSearch Service console at [https://console.aws.amazon.com/aos/home](https://console.aws.amazon.com/aos/home ).

1. Expand **Serverless** in the left navigation pane and choose **Encryption policies**.

1. Choose **Create encryption policy**.

1. Name the policy `books-policy`. For the description, enter `Encryption policy for books collection`.

1. Under **Resources**, enter `books`, which is what you name your collection. If you want to be more broad, you can include an asterisk (`books*`) to make the policy apply to all collections beginning with the word "books".

1. For **Encryption**, keep **Use AWS owned key** selected.

1. Choose **Create**.

## Step 3: Create a network policy
<a name="gsg-network"></a>

[Network policies](serverless-network.md) determine whether your collection is accessible over the internet from public networks, or whether it must be accessed through OpenSearch Serverless–managed VPC endpoints. In this tutorial, you configure public access.

**To create a network policy**

1. Choose **Network policies** in the left navigation pane and choose **Create network policy**.

1. Name the policy `books-policy`. For the description, enter `Network policy for books collection`.

1. Under **Rule 1**, name the rule `Public access for books collection`.

1. For simplicity in this tutorial, configure public access for the *books* collection. For the access type, select **Public**.

1. You access the collection from OpenSearch Dashboards. To do this, you need to configure network access for Dashboards *and* the OpenSearch endpoint, otherwise Dashboards won't function.

   For the resource type, enable both **Access to OpenSearch endpoints** and **Access to OpenSearch Dashboards**.

1. In both input boxes, enter `Collection Name = books`. This setting scopes the policy down so that it only applies to a single collection (`books`). Your rule should look like this:  
![Search interface showing two input fields for collection or prefix term selection, both set to "books".](http://docs.aws.amazon.com/opensearch-service/latest/developerguide/images/serverless-tutorial-network.png)

1. Choose **Create**.

## Step 4: Create a data access policy
<a name="gsg-data-access"></a>

You can't access your collection data until you configure data access. [Data access policies](serverless-data-access.md) are separate from the IAM identity-based policy that you configured in step 1. They allow users to access the actual data within a collection.

In this tutorial, you provide a single user the permissions required to index data into the *books* collection.

**To create a data access policy**

1. Choose **Data access policies** in the left navigation pane and choose **Create access policy**.

1. Name the policy `books-policy`. For the description, enter `Data access policy for books collection`.

1. Select **JSON** for the policy definition method and paste the following policy in the JSON editor.

   Replace the principal ARN with the ARN of the account that you use to log in to OpenSearch Dashboards and index data.

   ```
   [
      {
         "Rules":[
            {
               "ResourceType":"index",
               "Resource":[
                  "index/books/*"
               ],
               "Permission":[
                  "aoss:CreateIndex",
                  "aoss:DescribeIndex", 
                  "aoss:ReadDocument",
                  "aoss:WriteDocument",
                  "aoss:UpdateIndex",
                  "aoss:DeleteIndex"
               ]
            }
         ],
         "Principal":[
            "arn:aws:iam::{{123456789012}}:{{user}}/{{my-user}}"
         ]
      }
   ]
   ```

   This policy provides a single user the minimum permissions required to create an index in the *books* collection, index some data, and search for it.

1. Choose **Create**.

## Step 5: Create a collection
<a name="gsgcreate-collection"></a>

Now that you configured encryption and network policies, you can create a collection that matches them. OpenSearch Serverless automatically applies the security settings.

**To create an OpenSearch Serverless collection**

1. Choose **Collections** in the left navigation pane and choose **Create collection**.

1. In the **Serverless generation** field, choose **Switch to Classic** if not already on Classic.

1. For the collection name, enter `books`.

1. For collection type, choose **Search**.

1. Under **Encryption**, OpenSearch Serverless informs you that the collection name matches the `books-policy` encryption policy.

1. Under **Network access settings**, OpenSearch Serverless informs you that the collection name matches the `books-policy` network policy.

1. Choose **Next**.

1. Under **Data access policy options**, OpenSearch Serverless informs you that the collection name matches the `books-policy` data access policy.

1. Choose **Next**.

1. Under **Configure OpenSearch UI**, configure the OpenSearch application and workspace for your collection. Choose **Select existing OpenSearch application** or **Create new OpenSearch application**, and select or create a workspace. Choose **Next**.

1. Review the collection configuration and choose **Submit**. Collections typically take less than a minute to initialize.

**Note**  
This tutorial uses the Classic collection creation flow to demonstrate how pre-configured security policies are automatically matched during collection creation. For information about creating collections using the NextGen flow, see [Creating collections](serverless-create.md).

## Step 6: Upload and search data
<a name="gsgindex-collection"></a>

You can upload data to an OpenSearch Serverless collection using Postman or curl. For brevity, these examples use **Dev Tools** within the OpenSearch Dashboards console.

**To index and search data in a collection**

1. Choose **Collections** in the left navigation pane and choose the **books** collection to open its details page.

1. Choose the OpenSearch Dashboards URL for the collection. The URL takes the format `https://{{collection-id}}.us-east-1.aoss.amazonaws.com/_dashboards`. 

1. Sign in to OpenSearch Dashboards using the [AWS access and secret keys](https://docs.aws.amazon.com/powershell/latest/userguide/pstools-appendix-sign-up.html) for the principal that you specified in your data access policy.

1. Within OpenSearch Dashboards, open the left navigation menu and choose **Dev Tools**.

1. To create a single index called *books-index*, run the following command:

   ```
   PUT books-index{{ }}
   ```  
![OpenSearch Dashboards console showing PUT request for books-index with JSON response.](http://docs.aws.amazon.com/opensearch-service/latest/developerguide/images/serverless-createindex.png)

1. To index a single document into *books-index*, run the following command:

   ```
   PUT books-index/_doc/1
   { 
     "title": "The Shining",
     "author": "Stephen King",
     "year": 1977
   }
   ```

1. To search data in OpenSearch Dashboards, you need to configure at least one index pattern. OpenSearch uses these patterns to identify which indexes you want to analyze. Open the Dashboards main menu, choose **Stack Management**, choose **Index Patterns**, and then choose **Create index pattern**. For this tutorial, enter *books-index*.

1. Choose **Next step** and then choose **Create index pattern**. After the pattern is created, you can view the various document fields such as `author` and `title`.

1. To begin searching your data, open the main menu again and choose **Discover**, or use the [search API](https://opensearch.org/docs/latest/opensearch/rest-api/search/).