diff --git a/infrastructure/lib/constructs/opensearchCognito.ts b/infrastructure/lib/constructs/opensearchCognito.ts
index 6b4cff5..721a6b6 100644
--- a/infrastructure/lib/constructs/opensearchCognito.ts
+++ b/infrastructure/lib/constructs/opensearchCognito.ts
@@ -4,7 +4,7 @@ import { Effect, FederatedPrincipal, ManagedPolicy, PolicyStatement, Role, Servi
 import * as cognito from "aws-cdk-lib/aws-cognito";
 
 export interface OpenSearchMetricsCognitoProps {
-    readonly region: string;
+    readonly openSearchDomainArn: string;
 }
 
 export class OpenSearchMetricsCognito extends Construct {
@@ -99,16 +99,16 @@ export class OpenSearchMetricsCognito extends Construct {
         this.identityPoolAuthRole.addToPolicy(
             new PolicyStatement({
                 effect: Effect.ALLOW,
-                actions: ['mobileanalytics:PutEvents', 'cognito-sync:*', 'cognito-identity:*', 'es:ESHttp*'],
-                resources: ['*'],
+                actions: ["es:ESHttpGet", "es:ESHttpPost"],
+                resources: [`${props.openSearchDomainArn}`],
             }),
         );
 
         this.identityPoolAdminRole.addToPolicy(
             new PolicyStatement({
                 effect: Effect.ALLOW,
-                actions: ['mobileanalytics:PutEvents', 'cognito-sync:*', 'cognito-identity:*', 'es:ESHttp*'],
-                resources: ['*'],
+                actions: ["es:ESHttp*", ],
+                resources: [`${props.openSearchDomainArn}`],
             }),
         );
 
diff --git a/infrastructure/lib/constructs/opensearchNginxProxyCognito.ts b/infrastructure/lib/constructs/opensearchNginxProxyCognito.ts
index 5739b54..5282030 100644
--- a/infrastructure/lib/constructs/opensearchNginxProxyCognito.ts
+++ b/infrastructure/lib/constructs/opensearchNginxProxyCognito.ts
@@ -15,7 +15,7 @@ import {
     SubnetType,
     Vpc,
     AmazonLinuxGeneration,
-    AmazonLinuxImage
+    AmazonLinuxImage, MachineImage
 } from 'aws-cdk-lib/aws-ec2';
 import { Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 import {Aspects, CfnOutput, Duration, Tag, Tags} from 'aws-cdk-lib';
@@ -62,9 +62,7 @@ export class OpenSearchMetricsNginxCognito extends Construct {
             instanceType: InstanceType.of(InstanceClass.M5, InstanceSize.LARGE),
             blockDevices: [{ deviceName: '/dev/xvda', volume: BlockDeviceVolume.ebs(10) }], // GB
             healthCheck: HealthCheck.ec2({ grace: Duration.seconds(90) }),
-            machineImage: new AmazonLinuxImage({
-                generation: AmazonLinuxGeneration.AMAZON_LINUX_2,
-            }),
+            machineImage: MachineImage.latestAmazonLinux2(),
             // Temp added public subnet and IP, until backed up by ALB
             associatePublicIpAddress: true,
             allowAllOutbound: true,
diff --git a/infrastructure/lib/stacks/opensearch.ts b/infrastructure/lib/stacks/opensearch.ts
index a2c43a5..f9aee90 100644
--- a/infrastructure/lib/stacks/opensearch.ts
+++ b/infrastructure/lib/stacks/opensearch.ts
@@ -53,7 +53,7 @@ export class OpenSearchDomainStack extends Stack {
                         new PolicyStatement({
                             effect: iam.Effect.ALLOW,
                             actions: ["sts:AssumeRole"],
-                            resources: ['*'],
+                            resources: [`arn:aws:iam::${props.account}:role/OpenSearchFullAccessRole`],
                             conditions: {
                                 StringEquals: { 'aws:PrincipalAccount': props.account, 'aws:RequestedRegion': props.region,},
                             }
@@ -80,6 +80,7 @@ export class OpenSearchDomainStack extends Stack {
         this.fullAccessRole = new Role(this, 'OpenSearchFullAccessRole', {
             assumedBy: new CompositePrincipal(...secureRolesList.map((role) => new iam.ArnPrincipal(role.roleArn))),
             description: "Master role for OpenSearch full access",
+            // The Name used in openSearchLambdaRole
             roleName: "OpenSearchFullAccessRole",
             inlinePolicies: {
                 "opensearchFullAccess": new PolicyDocument({
@@ -95,7 +96,7 @@ export class OpenSearchDomainStack extends Stack {
         });
 
         const metricsCognito = new OpenSearchMetricsCognito(this, "OpenSearchHealthCognito", {
-            region: props.region,
+            openSearchDomainArn: domainArn
         });
 
 
diff --git a/infrastructure/lib/stacks/opensearchNginxProxyReadonly.ts b/infrastructure/lib/stacks/opensearchNginxProxyReadonly.ts
index b7626e3..4b0f00d 100644
--- a/infrastructure/lib/stacks/opensearchNginxProxyReadonly.ts
+++ b/infrastructure/lib/stacks/opensearchNginxProxyReadonly.ts
@@ -9,7 +9,7 @@ import {
     SubnetType,
     Vpc,
     AmazonLinuxGeneration,
-    AmazonLinuxImage
+    AmazonLinuxImage, MachineImage
 } from 'aws-cdk-lib/aws-ec2';
 import * as iam from "aws-cdk-lib/aws-iam";
 import {Aspects, Duration, Stack, Tag, Tags} from 'aws-cdk-lib';
@@ -60,9 +60,7 @@ export class OpenSearchMetricsNginxReadonly extends Stack {
             instanceType: InstanceType.of(InstanceClass.M5, InstanceSize.LARGE),
             blockDevices: [{ deviceName: '/dev/xvda', volume: BlockDeviceVolume.ebs(10) }], // GB
             healthCheck: HealthCheck.ec2({ grace: Duration.seconds(90) }),
-            machineImage: new AmazonLinuxImage({
-                generation: AmazonLinuxGeneration.AMAZON_LINUX_2,
-            }),
+            machineImage: MachineImage.latestAmazonLinux2(),
             associatePublicIpAddress: false,
             allowAllOutbound: true,
             desiredCapacity: 2,