OpenSearch UI can access data from OpenSearch domains in different AWS accounts and different AWS Regions. There are two approaches — cross-account data access and cross-cluster search — each with different capabilities and trade-offs.
Cross-Region Setup
Approach comparison
| Aspect | Cross-account data access | Cross-cluster search |
|---|---|---|
| Mechanism | Direct — OpenSearch UI connects to the target domain in another account | Indirect — requires a local domain to relay requests to remote domains |
| Cross-account support | ✅ Yes | ✅ Yes |
| Cross-Region support | ❌ No — domains must be in the same Region | ✅ Yes — domains can be in different Regions |
| Union data across domains | ❌ No — each domain is queried independently | ✅ Yes — a single query can aggregate results from multiple domains |
| Authentication methods | IAM and IAM Identity Center | IAM (with fine-grained access control) |
| Write access to remote domain | ✅ Yes — controlled by the target domain's access policy | ❌ No — read-only access to remote domains |
| Setup complexity | Lower | Higher |
| Data source visibility | Each cross-account domain appears as a separate data source | Remote domains are accessed through the local domain's connection aliases |
Both approaches work only with OpenSearch managed domains. Neither supports OpenSearch Serverless collections.
When to use each approach
Cross-account data access
Choose this when you need to:
- Connect to domains in other AWS accounts within the same Region
- Keep each domain as a separate, independently queryable data source
- Allow write access to the remote domain
- Minimize setup complexity
Cross-cluster search
Choose this when you need to:
- Query domains across different AWS Regions
- Aggregate results from multiple domains in a single query
- Build unified dashboards that combine data from several clusters
Cross-account data access setup
With cross-account data access, you associate a domain from another AWS account as a direct data source in your OpenSearch UI application.
Prerequisites
- An OpenSearch UI application in Account A
- An OpenSearch domain in Account B (same Region)
- IAM permissions to create cross-account roles
Step 1: Create a cross-account IAM role in Account B
In the account that owns the target domain (Account B), create an IAM role that Account A can assume:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_A_ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}Attach a permission policy that grants access to the domain:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:ESHttp*",
"Resource": "arn:aws:es:<REGION>:<ACCOUNT_B_ID>:domain/<DOMAIN_NAME>/*"
}
]
}Step 2: Update the target domain's access policy
The domain in Account B needs a resource-based policy that allows the cross-account role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_A_ID>:role/<CROSS_ACCOUNT_ROLE>"
},
"Action": "es:ESHttp*",
"Resource": "arn:aws:es:<REGION>:<ACCOUNT_B_ID>:domain/<DOMAIN_NAME>/*"
}
]
}Step 3: Associate the cross-account domain in OpenSearch UI
In Account A, add the cross-account domain as a data source:
aws opensearch update-application \
--id <APP_ID> \
--data-sources '[{
"dataSourceArn": "arn:aws:es:<REGION>:<ACCOUNT_B_ID>:domain/<DOMAIN_NAME>"
}]' \
--region <REGION>The cross-account domain will appear as a separate data source in your OpenSearch UI application.
Cross-cluster search setup
Cross-cluster search lets you query data across connected domains using a local "relay" domain. This is the only approach that supports cross-Region queries.
Architecture overview
OpenSearch UI (Account A, us-east-1)
└── Local Domain (Account A, us-east-1) ← data source
├── Connection → Remote Domain (Account B, us-east-1)
└── Connection → Remote Domain (Account C, eu-west-1)The local domain acts as a gateway — OpenSearch UI queries the local domain, which fans out requests to connected remote domains.
Prerequisites
- An OpenSearch UI application with a local domain as a data source
- Remote domains in other accounts or Regions
- Fine-grained access control enabled on all domains
Step 1: Create cross-cluster connections
Create a connection from your local domain to each remote domain. You can do this in the OpenSearch Service console:
- Open the OpenSearch Service console
- Select your local domain
- Go to the Connections tab
- Choose Request connection
- Enter the remote domain details (account ID, domain name, Region)
- Submit the request
The remote domain owner must accept the connection request.
Step 2: Configure access policies on remote domains
Each remote domain needs an access policy that allows the cross-cluster connection:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<LOCAL_ACCOUNT_ID>:root"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:<REMOTE_REGION>:<REMOTE_ACCOUNT_ID>:domain/<REMOTE_DOMAIN>/*"
}
]
}Cross-cluster search provides read-only access. The remote domain policy only needs es:ESHttpGet (not es:ESHttp*).
Step 3: Configure fine-grained access control
If your domains use fine-grained access control, map the cross-cluster connection role to appropriate backend roles on the remote domain. This controls which indexes the local domain can query.
Step 4: Query remote data
Once connections are established, you can query remote indexes using the connection alias:
GET <connection-alias>:<remote-index>/_search
{
"query": { "match_all": {} }
}You can also create index patterns in OpenSearch UI that reference remote indexes through their connection aliases.
Practical tips
Choosing between the two approaches
Ask yourself these questions:
- Do you need to query across Regions? → Cross-cluster search is your only option.
- Do you need to combine results from multiple domains in one query? → Cross-cluster search.
- Do you need write access to the remote domain? → Cross-account data access.
- Do you want the simplest setup? → Cross-account data access.
Network considerations
- Cross-account data access: The OpenSearch UI application connects directly to the remote domain. Ensure the domain's access policy allows the connection.
- Cross-cluster search: Traffic flows between domains. If domains are in VPCs, you may need VPC peering or AWS PrivateLink.
Performance
- Cross-cluster search adds latency because queries are relayed through the local domain.
- Cross-Region queries have higher latency than same-Region queries due to network distance.
- For latency-sensitive dashboards, prefer same-Region data sources when possible.
Troubleshooting
| Symptom | Likely cause | Resolution |
|---|---|---|
| Can't associate cross-account domain | Missing cross-account IAM role or domain access policy | Verify the IAM role trust policy and the domain resource-based policy both allow access from your account |
| Cross-cluster connection stuck in "Pending" | Remote domain owner hasn't accepted the request | The connection request must be accepted by the remote domain's account owner |
| "Index not found" when querying remote domain | Wrong connection alias or index name | Verify the connection alias and remote index name. Use GET _remote/info on the local domain to check connections |
| Timeout errors on cross-Region queries | Network latency or domain capacity | Cross-Region queries are inherently slower. Check that remote domains have sufficient capacity |
| "Access denied" on remote domain | Fine-grained access control not configured | Map the cross-cluster connection role to appropriate backend roles on the remote domain |
| Can't write to remote domain via cross-cluster search | Expected behavior | Cross-cluster search is read-only. Use cross-account data access if you need write access |
Related
- Configuration — Application-level settings and permissions
- IAM Policies Reference — Full permissions reference
- AWS docs: Cross-Region and cross-account data access
- AWS docs: Cross-cluster search