AWSOpenSearch UI Help Center
AWS Docs 
Feedback

Enterprise Administration

Managing OpenSearch UI at scale requires thoughtful organization of applications, workspaces, and access controls. This guide covers strategies for enterprise teams managing multiple applications across departments, with guidance on delegation, tagging, and cost management.

Multi-application architecture

Large organizations often run multiple OpenSearch UI applications — one per business unit, environment, or region. Here's a common pattern:

Organization
├── Application: "Production Monitoring"
│   ├── Workspace: SRE Observability
│   ├── Workspace: Security Operations
│   └── Workspace: Executive Dashboards
├── Application: "Staging Environment"
│   ├── Workspace: QA Team
│   └── Workspace: Dev Observability
└── Application: "Data Analytics"
    ├── Workspace: Business Intelligence
    └── Workspace: Data Science

When to use separate applications

ScenarioRecommendation
Different environments (prod/staging/dev)Separate applications
Different business units with no shared dataSeparate applications
Teams that share data sourcesSingle application, separate workspaces
Compliance isolation requirementsSeparate applications
Different authentication methods neededSeparate applications
Cost attribution per departmentSeparate applications with tags

Admin vs. collaborator roles

OpenSearch UI has two levels of access at the application level:

Application admins

  • Create and delete the application
  • Associate and remove data sources
  • Manage application-level settings
  • Access all workspaces within the application
  • Add other admins

The IAM principal that creates the application is automatically the first admin.

Adding additional admins

aws opensearch update-application \
    --id app-abc123def456 \
    --region us-east-1 \
    --app-configs '[
      {
        "key": "opensearchDashboards.dashboardAdmin.users",
        "value": "arn:aws:iam::123456789012:role/AdminRole"
      }
    ]'

Workspace collaborators

Collaborators are added at the workspace level with granular permissions:

Permission LevelCan ViewCan EditCan Manage Settings
Read only
Read and write
Admin

Delegating workspace administration

For large teams, delegate workspace management to team leads:

  1. Create the application with a central admin IAM role
  2. Create workspaces for each team
  3. Add team leads as workspace Admins
  4. Team leads can then:
    • Add/remove collaborators in their workspace
    • Configure workspace data sources (from the application's associated sources)
    • Manage saved objects (dashboards, index patterns, etc.)
    • Customize workspace settings

This model lets central IT maintain control over the application and data source associations while giving teams autonomy over their workspace.

Multi-team workspace organization

Naming conventions

Establish a consistent naming convention for workspaces:

Format: <Team> - <Purpose> [<Environment>]
 
Examples:
  "SRE - Production Observability"
  "Security - Threat Hunting"
  "Platform - Search Relevance [Staging]"
  "Finance - Business Analytics"

Data source scoping per team

TeamWorkspace TypeData SourcesAccess Level
SREObservabilitylogs-prod, apm-prod, metrics-prodRead/Write
SecuritySecurity Analyticssiem-prod, security-lakeRead/Write
ExecutivesEssentialslogs-prod (read-only dashboards)Read Only
Data EngineeringAnalyticsAll data sourcesAdmin
QAObservabilitylogs-staging, apm-stagingRead/Write

Tagging strategies

Use AWS tags on your OpenSearch UI applications for cost allocation, access control, and organization.

Applying tags

aws opensearch add-tags \
    --arn arn:aws:es:us-east-1:123456789012:application/app-abc123def456 \
    --tag-list '[
      {"Key": "Environment", "Value": "Production"},
      {"Key": "Team", "Value": "Platform"},
      {"Key": "CostCenter", "Value": "CC-1234"},
      {"Key": "Project", "Value": "Observability"}
    ]'

Recommended tag schema

Tag KeyExample ValuesPurpose
EnvironmentProduction, Staging, DevelopmentEnvironment identification
TeamSRE, Security, DataEngTeam ownership
CostCenterCC-1234, CC-5678Cost allocation
ProjectObservability, SIEM, SearchProject tracking
ManagedByTerraform, CloudFormation, ManualIaC tracking
DataClassificationPublic, Internal, ConfidentialCompliance

Tag-based IAM policies

Restrict who can manage applications based on tags:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:UpdateApplication",
        "es:GetApplication"
      ],
      "Resource": "arn:aws:es:us-east-1:123456789012:application/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Team": "SRE"
        }
      }
    }
  ]
}

Cost management

Understanding OpenSearch UI costs

OpenSearch UI applications themselves do not incur a separate charge. Costs come from:

Cost ComponentSourceHow to Optimize
OpenSearch domain instancesAssociated managed domainsRight-size instances, use reserved instances
Serverless OCUsAssociated serverless collectionsConfigure min/max OCU capacity
Data transferCross-region/cross-account queriesMinimize cross-region data sources
StorageIndex data on domainsUse ISM policies for lifecycle management
Direct queryS3/CloudWatch query computeOptimize query patterns, use partitioning

Cost allocation with tags

  1. Apply CostCenter tags to each application
  2. Enable cost allocation tags in AWS Billing
  3. Use AWS Cost Explorer to filter by tag
  4. Set up AWS Budgets alerts per cost center

Reducing costs

  • Delete unused workspaces — They don't cost directly, but unused dashboards may trigger unnecessary queries
  • Remove unused data source associations — Reduces the blast radius of accidental queries
  • Use ISM policies on domains to automatically delete or archive old indices
  • Right-size domains — Monitor CloudWatch metrics and adjust instance types
  • Use serverless for bursty workloads — Pay only for what you use

Infrastructure as Code

Terraform

resource "aws_opensearch_application" "main" {
  name = "production-monitoring"
 
  app_configs {
    key   = "opensearchDashboards.dashboardAdmin.users"
    value = "arn:aws:iam::123456789012:role/AdminRole"
  }
 
  data_sources {
    data_source_arn         = aws_opensearch_domain.logs.arn
    data_source_description = "Production logs"
  }
 
  data_sources {
    data_source_arn         = aws_opensearch_domain.apm.arn
    data_source_description = "APM traces"
  }
 
  tags = {
    Environment = "Production"
    Team        = "Platform"
    CostCenter  = "CC-1234"
  }
}

CloudFormation

Resources:
  MonitoringApp:
    Type: AWS::OpenSearchService::Application
    Properties:
      Name: production-monitoring
      DataSources:
        - DataSourceArn: !GetAtt LogsDomain.Arn
          DataSourceDescription: "Production logs"
        - DataSourceArn: !GetAtt ApmDomain.Arn
          DataSourceDescription: "APM traces"
      Tags:
        - Key: Environment
          Value: Production
        - Key: Team
          Value: Platform

Monitoring and auditing

CloudTrail events

All OpenSearch UI API calls are logged in CloudTrail:

  • CreateApplication
  • UpdateApplication
  • DeleteApplication
  • GetApplication
  • ListApplications

Filter CloudTrail events to audit application changes:

aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateApplication \
    --start-time 2025-06-01 \
    --end-time 2025-06-30

CloudWatch metrics

Monitor application health through CloudWatch metrics on the associated domains:

  • ClusterStatus.green / ClusterStatus.yellow / ClusterStatus.red
  • SearchRate and SearchLatency
  • CPUUtilization and JVMMemoryPressure

Troubleshooting

Team can't access their workspace

  • Verify the collaborator ARN is correct (IAM user, role, or SAML group)
  • Check that the workspace is not set to Private without the team being listed
  • For SAML users, confirm the IdP is sending the correct group attribute

Application creation fails for delegated admin

  • The IAM role needs es:CreateApplication permission
  • Check for SCP restrictions in AWS Organizations
  • Verify the role has permissions for any VPC-related actions if using VPC domains

Tags not appearing in Cost Explorer

  • Cost allocation tags must be activated in the AWS Billing console
  • It can take up to 24 hours for new tags to appear in cost reports
  • Verify the tag key matches exactly (tags are case-sensitive)