// Use when provisioning or deprovisioning OpenSearch Serverless collections, creating collection groups, setting up AOSS NextGen, or tearing down AOSS resources
Deploy OpenSearch search applications to Amazon OpenSearch Service or Amazon OpenSearch Serverless. Use this skill when the user wants to provision an OpenSearch domain or serverless collection on AWS, deploy search configurations to AWS, set up Bedrock connectors, configure IAM roles for OpenSearch, migrate a local search setup to AWS, or manage Amazon OpenSearch infrastructure. Activate even if the user says AOS, AOSS, OpenSearch Service, serverless collection, Bedrock connector, SigV4, or AWS deployment without mentioning search.
Deploy OpenSearch search applications to AWS. Use this skill when the user wants to provision an OpenSearch domain or serverless collection on AWS, deploy search configurations, set up Bedrock connectors, configure IAM roles for OpenSearch, or migrate a local setup to Amazon OpenSearch Service or Serverless. Activate even if the user says AOS, AOSS, OpenSearch Service, serverless collection, Bedrock connector, SigV4, or AWS deployment.
Build search applications and query log analytics data with OpenSearch. Use this skill when the user mentions OpenSearch, search app, index setup, search architecture, semantic search, vector search, hybrid search, BM25, dense vector, sparse vector, agentic search, RAG, embeddings, KNN, PDF ingestion, document processing, or any related search topic. Also use for log analytics and observability — when the user wants to set up log ingestion, query logs with PPL, analyze error patterns, set up index lifecycle policies, investigate traces, or check stack health. Activate even if the user says log analysis, Fluent Bit, Fluentd, Logstash, syslog, traceId, OpenTelemetry, or log analytics without mentioning OpenSearch.
Analyze logs in OpenSearch using PPL and Query DSL. Use this skill when the user wants to query logs, analyze error patterns, discover log patterns, check error rates, perform anomaly detection on logs, or investigate application issues through log data. Activate even if the user says log analysis, Fluent Bit, Fluentd, Logstash, syslog, PPL, error rate, anomaly detection, log patterns, or log analytics without mentioning OpenSearch.
Analyze logs and investigate traces in OpenSearch. Use this skill when the user wants to query logs with PPL, analyze error patterns, discover log patterns, investigate traces, check stack health, or perform any observability task. Activate even if the user says log analysis, Fluent Bit, Fluentd, Logstash, syslog, traceId, OpenTelemetry, PPL, span, latency, error rate, anomaly detection, or log analytics without mentioning OpenSearch.
Investigate distributed traces and spans in OpenSearch. Use this skill when the user wants to analyze traces, investigate slow spans, find error spans, track agent invocations, measure token usage, reconstruct trace trees, query service maps, or debug distributed systems through trace data. Activate even if the user says traceId, spanId, OpenTelemetry, OTel, distributed tracing, latency, span duration, service map, or trace investigation without mentioning OpenSearch.
| name | aoss-nextgen-provisioning |
| description | Use when provisioning or deprovisioning OpenSearch Serverless collections, creating collection groups, setting up AOSS NextGen, or tearing down AOSS resources |
Guided wizard for provisioning and deprovisioning Amazon OpenSearch Serverless (AOSS) NextGen collections. Handles the full orchestration: security policies, collection groups, and collections — in the correct dependency order.
"standbyReplicas": "ENABLED" is MANDATORY for all NextGen collection groups (never allow DISABLED)"generation": "NEXTGEN" is REQUIRED for NextGen collection groups.| Action | Flow | What it creates |
|---|---|---|
| New NextGen collection (defaults) | Simple | enc policy + net policy + group + collection |
| New NextGen collection (customized) | Advanced | enc policy + net policy + group (with limits) + collection |
| New standalone collection (v1) | Standalone | enc policy + net policy + collection |
| Add collection to existing group | Add to Group | collection (+ policies if needed) |
| Delete resources | Deprovision | Removes collections → group → policies |
| Resource | Name Pattern |
|---|---|
| Collection | <user-provided-name> |
| Collection group | <name>-group |
| Encryption policy | <name>-enc-policy |
| Network policy | <name>-net-policy |
| Data access policy | <name>-access-policy |
This skill is split across multiple files to stay under 500 lines. Read companion files on demand:
ADVANCED.md in this directory.DEPROVISION.md in this directory.ERRORS.md in this directory for error handling guidance.Run:
aws sts get-caller-identity
If this fails, tell the user: "AWS credentials are missing or expired. Please configure credentials (e.g., aws configure or set environment variables) and try again." Then STOP.
Ask the user:
What would you like to do?
1. Provision (Simple) — New NextGen collection group + collection with defaults
2. Provision (Advanced) — Preset-based setup with full parameter control
3. Provision standalone collection — Collection without a collection group (classic)
4. Add collection to existing group — Create a collection in an existing collection group
5. Deprovision — Tear down collection(s) and/or collection group
Proceed to the corresponding flow section below (or read companion file as noted above).
Collect from the user (one at a time):
[a-z][a-z0-9-]+Run these commands in order. Stop and report if any command fails.
1. Create encryption policy:
aws opensearchserverless create-security-policy --cli-input-json '{
"type": "encryption",
"name": "<name>-enc-policy",
"policy": "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection/<name>\"]}],\"AWSOwnedKey\":true}"
}' --region <region>
2. Create network policy (public access):
aws opensearchserverless create-security-policy --cli-input-json '{
"type": "network",
"name": "<name>-net-policy",
"policy": "[{\"Description\":\"Public access for <name>\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection/<name>\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection/<name>\"]}],\"AllowFromPublic\":true}]"
}' --region <region>
3. Create collection group (NextGen):
aws opensearchserverless create-collection-group \
--name <name>-group \
--standby-replicas ENABLED \
--generation NEXTGEN \
--region <region>
4. Create collection:
aws opensearchserverless create-collection --cli-input-json '{
"name": "<name>",
"type": "<TYPE>",
"collectionGroupName": "<name>-group"
}' --region <region>
5. Optional — Data access policy:
Ask: "Would you like to set up a data access policy now? This grants an IAM principal access to the collection. You can also do this later."
If yes, collect the IAM principal ARN (role or user ARN), then run:
aws opensearchserverless create-access-policy --cli-input-json '{
"type": "data",
"name": "<name>-access-policy",
"policy": "[{\"Rules\":[{\"Resource\":[\"collection/<name>\"],\"Permission\":[\"aoss:*\"],\"ResourceType\":\"collection\"},{\"Resource\":[\"index/<name>/*\"],\"Permission\":[\"aoss:*\"],\"ResourceType\":\"index\"}],\"Principal\":[\"<principal-arn>\"]}]"
}' --region <region>
After all commands succeed, report:
aws opensearchserverless batch-get-collection --ids <id> --region <region>"For customers who want a collection without a collection group (v1-style, no NextGen features).
Collect from the user:
1. Create encryption policy:
aws opensearchserverless create-security-policy --cli-input-json '{
"type": "encryption",
"name": "<name>-enc-policy",
"policy": "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection/<name>\"]}],\"AWSOwnedKey\":true}"
}' --region <region>
2. Create network policy (public access):
aws opensearchserverless create-security-policy --cli-input-json '{
"type": "network",
"name": "<name>-net-policy",
"policy": "[{\"Description\":\"Public access for <name>\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection/<name>\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection/<name>\"]}],\"AllowFromPublic\":true}]"
}' --region <region>
3. Create collection (no collection group):
aws opensearchserverless create-collection --cli-input-json '{
"name": "<name>",
"type": "<TYPE>"
}' --region <region>
4. Optional — Data access policy:
Same as Flow 1.
Report collection name, ID, ARN, region. Remind about status check command.