# Amazon OpenSearch Service
AWS Systems Manager Automation provides predefined runbooks for Amazon OpenSearch Service. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [
# `AWSConfigRemediation-DeleteOpenSearchDomain`
](automation-aws-delete-opensearch-domain.md)
+ [
# `AWSConfigRemediation-EnforceHTTPSOnOpenSearchDomain`
](automation-aws-enforce-https-opensearch.md)
+ [
# `AWSConfigRemediation-UpdateOpenSearchDomainSecurityGroups`
](automation-aws-update-opensearch-security-group.md)
+ [
# `AWSSupport-TroubleshootOpenSearchRedYellowCluster`
](automation-troubleshoot-opensearch-red-yellow-cluster.md)
+ [
# `AWSSupport-TroubleshootOpenSearchHighCPU`
](automation-troubleshoot-opensearch-high-cpu.md)
# `AWSConfigRemediation-DeleteOpenSearchDomain`
**Description**
The `AWSConfigRemediation-DeleteOpenSearchDomain` runbook deletes the given Amazon OpenSearch Service domain using the [DeleteDomain](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/configuration-api.html#configuration-api-actions-deletedomain) API.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-DeleteOpenSearchDomain)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ DomainName
Type: String
Allowed values: (\$1d\$112\$1/)?[a-z]\$11\$1[a-z0-9-]\$12,28\$1
Description: (Required) The name of the Amazon OpenSearch Service domain that you want to delete.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `es:DeleteDomain`
+ `es:DescribeDomain`
**Document Steps**
+ `aws:executeScript` - Accepts the Amazon OpenSearch Service domain name as input, deletes it, and verifies the deletion.
# `AWSConfigRemediation-EnforceHTTPSOnOpenSearchDomain`
**Description**
The `AWSConfigRemediation-EnforceHTTPSOnOpenSearchDomain` runbook enables `EnforceHTTPS` on a given Amazon OpenSearch Service domain using the [UpdateDomainConfig](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/configuration-api.html#configuration-api-actions-updatedomainconfig) API.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnforceHTTPSOnOpenSearchDomain)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ DomainName
Type: String
Allowed values: (\$1d\$112\$1/)?[a-z]\$11\$1[a-z0-9-]\$12,28\$1
Description: (Required) The name of the Amazon OpenSearch Service domain that you want to use to enforce HTTPS.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `es:DescribeDomain`
+ `es:UpdateDomainConfig`
**Document Steps**
+ `aws:executeScript` - Enables the `EnforceHTTPS` endpoint option on the Amazon OpenSearch Service domain you specify in the `DomainName` parameter.
# `AWSConfigRemediation-UpdateOpenSearchDomainSecurityGroups`
**Description**
The `AWSConfigRemediation-UpdateOpenSearchDomainSecurityGroups` runbook updates the security group configuration on a given Amazon OpenSearch Service domain using the [UpdateDomainConfig](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/configuration-api.html#configuration-api-actions-updatedomainconfig) API.
**Note**
AWS Security groups can only be applied to Amazon OpenSearch Service domains configured for Amazon Virtual Private Cloud (VPC) Access, and not to Amazon OpenSearch Service domains configured for Public Access.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-UpdateOpenSearchDomainSecurityGroups)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ DomainName
Type: String
Description: (Required) The name of the Amazon OpenSearch Service domain that you want to use to update security groups.
+ SecurityGroupList
Type: StringList
Description: (Required) The security group IDs that you want to assign to the Amazon OpenSearch Service domain.
+ AutomationAssumeRole
Type: String
Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ssm:StartAutomationExecution`
+ `ssm:GetAutomationExecution`
+ `es:DescribeDomain`
+ `es:UpdateDomainConfig`
**Document Steps**
+ `aws:executeScript` - Updates the security group configuration on the Amazon OpenSearch Service domain you specify in the `DomainName` parameter.
# `AWSSupport-TroubleshootOpenSearchRedYellowCluster`
**Description**
`AWSSupport-TroubleshootOpenSearchRedYellowCluster` automation runbook is used to identify the cause for [red](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/handling-errors.html#handling-errors-red-cluster-status) or [yellow](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/handling-errors.html#handling-errors-yellow-cluster-status) cluster health status and guide you through changing the cluster back to green.
**How does it work?**
The runbook `AWSSupport-TroubleshootOpenSearchRedYellowCluster` helps you troubleshoot the cause of red or yellow cluster and provides the next steps to resolve this issue by analyzing the cluster configuration and resource utilization.
The runbook performs the following steps:
+ Calls the [DescribeDomain](https://docs.aws.amazon.com//opensearch-service/latest/APIReference/API_DescribeDomain.html) API against the target domain to get the cluster configuration.
+ Checks if the OpenSearch Service domain is internet-based (public) or [Amazon Virtual Private Cloud (VPC)-based](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/vpc.html).
+ Creates a public or [Amazon VPC-based](https://docs.aws.amazon.com//lambda/latest/dg/foundation-networking.html) AWS Lambda function depending on the cluster configuration. Note: The Lambda function contains the troubleshooting code that run the OpenSearch Service APIs against the cluster to determine why the cluster is in red or yellow state.
+ Deletes the Lambda function.
+ Displays the checks performed and the next recommended steps to resolve the red or yellow cluster issue.
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `cloudformation:CreateStack`
+ `cloudformation:DescribeStacks`
+ `cloudformation:DescribeStackEvents`
+ `cloudformation:DeleteStack`
+ `lambda:CreateFunction`
+ `lambda:DeleteFunction`
+ `lambda:InvokeFunction`
+ `lambda:GetFunction`
+ `es:DescribeDomain`
+ `es:DescribeDomainConfig`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeVpcs`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:CreateNetworkInterface`
+ `ec2:DeleteNetworkInterface`
+ `ec2:DescribeInstances`
+ `ec2:AttachNetworkInterface`
+ `cloudwatch:GetMetricData`
+ `iam:PassRole`
The `LambdaExecutionRole` parameter requires the following actions to successfully use the runbook:
+ `es:ESHttpGet`
+ `ec2:CreateNetworkInterface`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DeleteNetworkInterface`
Overview of `LambdaExecutionRole` policy:
The following is an example of a Lambda function's execution role (AWS Identity and Access Management (IAM) role) that grants the function permission to access AWS services and resources required by this runbook. For more information, see [Lambda execution role](https://docs.aws.amazon.com//lambda/latest/dg/lambda-intro-execution-role.html).
**Note**
The `ec2:DescribeNetworkInterfaces`, `ec2:CreateNetworkInterface`, and `ec2:DeleteNetworkInterface` are only required if your OpenSearch Service cluster is [Amazon VPC-based](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/vpc.html) to allow the Lambda function to create and manage the Amazon VPC network interfaces. For more information, see [Connecting outbound networking to resources in a Amazon VPC](https://docs.aws.amazon.com//lambda/latest/dg/configuration-vpc.html#vpc-permissions) and [Lambda execution role](https://docs.aws.amazon.com//lambda/latest/dg/lambda-intro-execution-role.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "es:ESHttpGet",
"Resource": [
"arn:aws:es:us-east-1:111122223333:domain/domain-name/",
"arn:aws:es:us-east-1:111122223333:domain/domain-name/_cluster/health",
"arn:aws:es:us-east-1:111122223333:domain/domain-name/_cat/indices",
"arn:aws:es:us-east-1:111122223333:domain/domain-name/_cat/allocation",
"arn:aws:es:us-east-1:111122223333:domain/domain-name/_cluster/allocation/explain"
]
},
{
"Condition": {
"ArnLikeIfExists": {
"ec2:Vpc": "arn:aws:ec2:us-east-1:111122223333:vpc/vpc_id"
}
},
"Action": [
"ec2:DeleteNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:UnassignPrivateIpAddresses",
"ec2:AssignPrivateIpAddresses"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
**Instructions**
Follow these steps to configure the automation:
1. Navigate to the [AWSSupport-TroubleshootOpenSearchRedYellowCluster](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootOpenSearchRedYellowCluster/description) in the AWS Systems Manager console.
1. Select Execute automation.
1. For the input parameters enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ **LambdaExecutionRole (Required):**
The ARN of the IAM role that Lambda will use to sign requests to your Amazon OpenSearch Service cluster.
+ **DomainName (Required):**
The name of the OpenSearch Service domain with red or yellow cluster health status.
+ **UtilizationThreshold (Optional):**
The utilization threshold percentage used to compare the CPUUtilization and JVMMemoryPressure metrics. Default value is 80.
![\[Input parameters form for AWS Systems Manager Automation with IAM roles and domain settings.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-opensearch-red-yellow-cluster_input_paramters.png)
1. If you have enabled [fine-grained access control](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/fgac.html) on an OpenSearch Service cluster, make sure that the `LambdaExecutionRole` role arn is mapped to a role with at least `cluster_monitor` permission.
![\[Cluster permissions section showing cluster_monitor permission granted.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-opensearch-red-yellow-cluster_permissions.png)
![\[Backend roles interface showing an AWSIAM role for Lambda execution and options to remove or add roles.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-opensearch-red-yellow-cluster_backend_roles.png)
1. Select Execute.
1. The automation initiates.
1. The automation runbook performs the following steps:
+ **GetClusterConfiguration:**
Fetches the OpenSearch Service cluster configuration.
+ **CreateAWSLambdaFunctionStack:**
Creates a temporary Lambda function in your account using CloudFormation. The Lambda function is used to run the OpenSearch Service APIs.
+ **WaitForAWSLambdaFunctionStack:**
Waits for the CloudFormation stack to complete.
+ **GetClusterMetricsFromCloudWatch:**
Gets the Amazon CloudWatch ClusterStatus, CPUUtilization, and JVMMemoryPressure OpenSearch Service cluster related metrics and its creation date.
+ **RunOpenSearchAPIs:**
Uses the Lambda function to call the OpenSearch Service APIs and analyze the cluster metrics data to diagnose the cause for the red or yellow cluster status.
+ **DeleteAWSLambdaFunctionStack:**
Deletes the Lambda function created by this automation in your account.
1. After completed, review the Outputs section for the detailed results of the execution.
+ **RootCause:**
Provides an overview of the identified cause for cluster health to be in red or yellow state.
+ **IssueDescription:**
Provides details for why the cluster is in red or yellow state and possible steps to return the cluster to green state.
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootOpenSearchRedYellowCluster)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
AWS service documentation
+ Refer to[Troubleshooting Amazon OpenSearch Service](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/handling-errors.html) for more information
# `AWSSupport-TroubleshootOpenSearchHighCPU`
**Description**
The `AWSSupport-TroubleshootOpenSearchHighCPU` runbook provides an automated solution to collect diagnostic data from an Amazon OpenSearch Service domain to troubleshoot [high CPU](https://repost.aws/knowledge-center/opensearch-troubleshoot-high-cpu) issues.
**How does it work?**
The `AWSSupport-TroubleshootOpenSearchHighCPU` runbook helps to troubleshoot high CPU utilization in the Amazon OpenSearch Service domain.
The runbook performs the following steps:
+ Runs the [DescribeDomain](https://docs.aws.amazon.com//opensearch-service/latest/APIReference/API_DescribeDomain.html) API against the provided Amazon OpenSearch Service domain to get the cluster metadata.
+ Checks whether the Amazon OpenSearch Service domain is public or Amazon VPC-based and with the help of CloudFormation, creates a public or [Amazon VPC-based](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/vpc.html) AWS Lambda function.
+ The Lambda function fetches diagnostic data from the Amazon OpenSearch Service domains.
+ Uses an AWS Step Functions state machine to orchestrate multiple Lambda function executions to gather more comprehensive data.
+ Stores the collected data in an Amazon CloudWatch log group for 24 hours by default.
+ Deletes the created resources, except the CloudWatch log group.
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `cloudformation:CreateStack`
+ `cloudformation:CreateStack`
+ `cloudformation:DescribeStacks`
+ `cloudformation:DescribeStackEvents`
+ `cloudformation:DeleteStack`
+ `lambda:CreateFunction`
+ `lambda:DeleteFunction`
+ `lambda:InvokeFunction`
+ `lambda:GetFunction`
+ `lambda:TagResource`
+ `es:DescribeDomain`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeVpcs`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:CreateNetworkInterface`
+ `ec2:DescribeInstances`
+ `ec2:AttachNetworkInterface`
+ `ec2:DeleteNetworkInterface`
+ `logs:CreateLogGroup`
+ `logs:PutRetentionPolicy`
+ `logs:TagResource`
+ `states:CreateStateMachine`
+ `states:DeleteStateMachine`
+ `states:StartExecution`
+ `states:TagResource`
+ `states:DescribeStateMachine`
+ `states:DescribeExecution`
+ `iam:PassRole`
+ `iam:CreateRole`
+ `iam:DeleteRole`
+ `iam:GetRole`
+ `iam:PutRolePolicy`
+ `iam:DeleteRolePolicy`
+ `ssm:DescribeAutomationExecutions`
+ `ssm:GetAutomationExecution`
**Note**
The `iam:CreateRole`, `iam:DeleteRole`, `iam:GetRole`, `iam:PutRolePolicy` `iam:PutRolePolicy`, and `iam:DeleteRolePolicy` are only required if you are not using an existing IAM role for **LambdaInvocationRoleForStepFunctions** parameter
The `LambdaExecutionRole` parameter requires the following actions to successfully use the runbook:
+ `es:ESHttpGet`
+ `ec2:CreateNetworkInterface`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:DeleteNetworkInterface`
+ `logs:CreateLogStream`
+ `logs:PutLogEvents`
The Lambda execution role grants the function permission to access AWS services and resources required by this runbook. For more information, see [Lambda execution role](https://docs.aws.amazon.com//lambda/latest/dg/lambda-intro-execution-role.html).
**Note**
The `ec2:DescribeNetworkInterfaces`, `ec2:CreateNetworkInterface`, and `ec2:DeleteNetworkInterface` are only required if your OpenSearch Service cluster is [Amazon VPC-based](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/vpc.html) to allow the Lambda function to create and manage the Amazon VPC network interfaces. For more information, see [Connecting outbound networking to resources in a Amazon VPC](https://docs.aws.amazon.com//lambda/latest/dg/configuration-vpc.html#vpc-permissions) and [Lambda execution role](https://docs.aws.amazon.com//lambda/latest/dg/lambda-intro-execution-role.html).
The `LambdaInvocationRoleForStepFunctions` parameter grants the permissions for AWS Step Functions state machine to invoke the Lambda function. The following is an example IAM policy that grants Step Functions permission to invoke the Lambda function that fetches diagnostic data from the OpenSearch Service domain. For more information, see [Creating a state machine IAM role ](https://docs.aws.amazon.com/step-functions/latest/dg/procedure-create-iam-role.html) in AWS Step Functions Developer Guide.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": [
"arn:aws:lambda:us-east-1:111122223333:function:AWSSupport-HighCPU-*"
]
}
]
}
```
------
**Instructions**
Follow these steps to configure the automation:
1. Navigate to the [AWSSupport-TroubleshootOpenSearchHighCPU](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-TroubleshootOpenSearchHighCPU/description) in the AWS Systems Manager console.
1. Select Execute automation.
1. For the input parameters enter the following:
+ **AutomationAssumeRole (Optional):**
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ **DomainName (Required):**
The name of the Amazon OpenSearch Service domain that you want to troubleshoot for high CPU issues.
+ **LambdaExecutionRoleForOpenSearch (Required):**
The ARN of the IAM role to attach to the Lambda function. The Lambda function uses the credentials from this role to sign requests to the Amazon OpenSearch Service domain. If fine-grained access control is enabled on the Amazon OpenSearch Service domain, you must map this role to an OpenSearch Service Dashboards backend role with a minimum of "cluster\$1monitor" permission.
+ **LambdaInvocationRoleForStepFunctions (Optional):**
(Optional) The ARN of the IAM role to attach to the Step Functions workflow. The state machine uses the credentials from this role to invoke the Lambda function that fetches diagnostic data from the OpenSearch Service domain. If no role is specified, this automation will create an IAM role for Step Functions in your account.
+ **DataRetentionDays (Optional):**
The number of days to retain the diagnostic data collected from the Amazon OpenSearch Service domain. By default, the data is retained for 24 hours (one day). You can choose to retain the data for a maximum of up to 30 days.
+ **NumberOfDataSamples (Optional):**
The number of data samples to collect from the Amazon OpenSearch Service domain. By default, 5 data sample are collected. You can collect up to 10 samples and the Lambda function will be invoked for each sample collection.
1. If you have enabled [fine-grained access control](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/fgac.html) on an OpenSearch Service cluster, make sure that the `LambdaExecutionRole` role arn is mapped to a role with at least `cluster_monitor` permission.
![\[Cluster permissions section showing cluster_monitor permission granted.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-opensearch-high-cpu_cluster_permissions.png)
![\[Backend roles interface showing an AWSIAM role for Lambda execution and options to remove or add roles.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-opensearch-high-cpu_backend_roles.png)
1. Select Execute.
1. The automation initiates.
1. The automation runbook performs the following steps:
+ **checkConcurrency:**
Ensures that there is only one execution of this runbook targeting the specified Amazon OpenSearch Service domain. If the runbook finds another execution targeting the same domain name, it returns an error and ends.
+ **getDomainConfig:**
Gets the configuration details for the target OpenSearch Service domain.
+ **provisionResources:**
Provisions the resources for data collection using CloudFormation.
+ **waitForStackCreation:**
Waits for the CloudFormation stack to complete.
+ **describeStackResources:**
Describes the CloudFormation stack and gets the ARN of the state machine.
+ **runStateMachine:**
Invokes the data collector Lambda function one or more times by running a Step Functions state machine.
+ **describeErrorsFromStackEvents:**
Describes errors from the CloudFormation stack for errors.
+ **unstageOpenSearchHighCPUAutomation:**
Deletes the `AWSSupport-TroubleshootOpenSearchHighCPU` CloudFormation stack.
+ **describeErrorsFromStackDeletion:**
Describes errors encountered while deleting the CloudFormation stack.
+ **finalStatus:**
Returns the final output of the `AWSSupport-TroubleshootOpenSearchHighCPU` runbook.
1. After completed, review the Outputs section for the detailed results of the execution.
+ **finalStatus.FinalOutput:**
Provides the CloudWatch log group where the diagnostic data is stored.
![\[Output message indicating hot thread data collection completed with log group details.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-troubleshoot-opensearch-high-cpu_outputs.png)
**References**
Systems Manager Automation
+ [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootOpenSearchHighCPU)
+ [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html)
+ [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html)
+ [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)
AWS service documentation
+ Refer to[Troubleshooting Amazon OpenSearch Service](https://docs.aws.amazon.com//opensearch-service/latest/developerguide/handling-errors.html) for more information