This article explains security mechanisms for Amazon OpenSearch Service domains, covering authentication, authorization, encryption, and network access controls.

• Three-layer security: network access, domain access policy, and fine-grained access control
• Fine-grained access control enables index, document, and field-level security restrictions
• Public access domains use FGAC with internal user database or IAM authentication
• VPC access domains recommended for production with IAM primary user and Amazon Cognito
• Encryption required with FGAC: TLS 1.2+ in transit, AWS KMS at rest
• Customer-managed KMS keys recommended over AWS-owned keys for production
• Backend roles map IAM identities to OpenSearch permissions for consistent access control
• Field masking and document-level security hide sensitive data from unauthorized users

Amazon OpenSearch Service provides layered security mechanisms suitable for both development and production workloads, with VPC access and IAM-based authentication recommended for enterprise deployments.