AWSOpenSearch UI Help Center
AWS Docs 
Feedback

Connect Data Sources

OpenSearch UI acts as a unified interface across multiple data backends. You can associate OpenSearch managed domains, serverless collections, and direct query sources like Amazon S3, CloudWatch Logs, and Security Lake — all within a single application.

Supported data source types

Data Source TypeARN FormatAssociation Method
OpenSearch managed domainarn:aws:es:REGION:ACCOUNT:domain/DOMAIN_NAMEConsole or CLI
OpenSearch Serverless collectionarn:aws:aoss:REGION:ACCOUNT:collection/COLLECTION_IDConsole or CLI
Amazon S3 via direct queryConfigured through Glue connectionInside OpenSearch UI
CloudWatch LogsConfigured as direct query sourceInside OpenSearch UI
Amazon Security LakeConfigured as direct query sourceInside OpenSearch UI

OpenSearch managed domains and serverless collections are associated at the application level using the console or CLI. Direct query sources (S3, CloudWatch, Security Lake) are configured from within the OpenSearch UI after your application is running.

Associate data sources via the console

  1. Open the Amazon OpenSearch Service console
  2. In the left navigation, choose OpenSearch UI (Dashboards)
  3. Select your application from the list
  4. Choose the Data sources tab
  5. Click Manage data sources
  6. Select the domains or collections you want to associate
  7. Click Save

The console displays all OpenSearch domains and serverless collections in the same region and account. To connect resources from other accounts or regions, see Cross-Account Access.

Associate data sources via the CLI

Use the update-application command to associate one or more data sources:

aws opensearch update-application \
    --id app-abc123def456 \
    --region us-east-1 \
    --data-sources '[
      {
        "dataSourceArn": "arn:aws:es:us-east-1:123456789012:domain/my-domain",
        "dataSourceDescription": "Production logs domain"
      },
      {
        "dataSourceArn": "arn:aws:aoss:us-east-1:123456789012:collection/abc123",
        "dataSourceDescription": "Search collection"
      }
    ]'

To verify the association:

aws opensearch get-application \
    --id app-abc123def456 \
    --region us-east-1

The response includes a dataSources array listing all currently associated sources.

Removing a data source

To remove a data source, call update-application with the updated list that excludes the source you want to remove. The API replaces the entire data source list — it does not merge.

# This replaces ALL data sources — only the ones listed here will remain
aws opensearch update-application \
    --id app-abc123def456 \
    --region us-east-1 \
    --data-sources '[
      {
        "dataSourceArn": "arn:aws:es:us-east-1:123456789012:domain/my-domain",
        "dataSourceDescription": "Production logs domain"
      }
    ]'

Be careful: passing an empty array removes all data sources from the application.

Direct query data sources (S3, CloudWatch, Security Lake)

Direct query sources let you query data in place without ingesting it into OpenSearch. These are configured from within the OpenSearch UI, not through the update-application API.

Setting up a direct query source

  1. Launch your OpenSearch UI application
  2. Navigate to Data sources in the left navigation
  3. Click Create data source connection
  4. Choose the source type (Amazon S3, CloudWatch Logs, or Security Lake)
  5. Provide the required connection details (Glue database, IAM role, etc.)
  6. Test the connection and save

Prerequisites for direct query

  • An AWS Glue database and table that catalogs your S3 data (for S3 sources)
  • An IAM role that grants OpenSearch permission to read from the source
  • The OpenSearch domain associated with your application must be running engine version 2.13 or later

Example: querying S3 data with PPL

Once configured, you can query S3 data directly using PPL:

source = my_s3_glue_table
| where year = 2025 AND month = 6
| stats count() by status_code
| sort - count

VPC considerations

If your OpenSearch domain is in a VPC, you need to authorize the OpenSearch UI service to access it through a VPC endpoint. Without this step, the application cannot reach the domain.

For managed domains:

aws opensearch authorize-vpc-endpoint-access \
    --domain-name my-vpc-domain \
    --service application.opensearchservice.amazonaws.com \
    --region us-east-1

For serverless collections, create a network policy that allows the OpenSearch UI service:

[
  {
    "Description": "Allow OpenSearch UI access",
    "Rules": [
      {
        "ResourceType": "collection",
        "Resource": ["collection/my-collection"]
      }
    ],
    "SourceServices": [
      "application.opensearchservice.amazonaws.com"
    ],
    "AllowFromPublic": false
  }
]

See VPC Access for the full setup guide.

Required IAM permissions

The IAM principal creating or updating the application needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:UpdateApplication",
        "es:GetApplication",
        "es:ListDataSources"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:application/app-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "es:DescribeDomain",
        "es:DescribeDomains"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:domain/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "aoss:BatchGetCollection"
      ],
      "Resource": "arn:aws:aoss:us-east-1:123456789012:collection/*"
    }
  ]
}

Troubleshooting

Data source not appearing in the console

  • Confirm the domain or collection is in the same region as your application
  • Verify the domain status is Active (not creating or processing)
  • Check that your IAM user has es:DescribeDomains or aoss:BatchGetCollection permissions

"Access denied" when associating a data source

  • The domain's access policy must allow the OpenSearch UI service principal
  • For VPC domains, ensure you've run authorize-vpc-endpoint-access
  • For serverless collections, verify the data access policy includes the application's IAM role

Data source shows as "Unhealthy"

  • The domain may be in a degraded state — check the domain's health in the OpenSearch Service console
  • Network connectivity issues between the application and a VPC domain
  • The domain's access policy may have been modified after association

Direct query source fails to connect

  • Verify the Glue database and table exist and are accessible
  • Check that the IAM role used for direct query has the required permissions (glue:GetTable, s3:GetObject, etc.)
  • Ensure the OpenSearch domain version is 2.13 or later