Proper access policy for Amazon Elastic Search Cluster

Question

asked Jul 3, 2019 in AWS by yuvraj (19.1k points)

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.

Here's an example of the access policy I currently have assigned for the ES domain:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"
    }
  ]
}

But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/“}

Does anyone know what I have to change in the access policy in order for this to work?

1 Answer

Related questions

0 votes

1 answer

AWS Amazon IAM user Policy to access ONLY one EC2 instance on EU-WEST-1 region

asked Jul 12, 2019 in AWS by yuvraj (19.1k points)

Want to get 50% Hike on your Salary?

Learn how we helped 50,000+ professionals like you !

0 votes

1 answer

Is using a load balancer with ElasticSearch unnecessary?

asked Jul 4, 2019 in AWS by yuvraj (19.1k points)

0 votes

1 answer

Can an aws IAM policy dynamically refer to the logged in username?

asked Sep 20, 2019 in AWS by yuvraj (19.1k points)

0 votes

1 answer

Elastic Beanstalk could not find any platforms

asked Jul 9, 2019 in AWS by yuvraj (19.1k points)

0 votes

1 answer

Logs for actions on amazon s3 / other AWS services

asked Jul 16, 2019 in AWS by yuvraj (19.1k points)

kodee · Answer 1 · 2019-07-03T08:04:10+0000

How to view Kibana in your browser when you have locked down access to IAM-only? You can set up a proxy (NPM module or Gist) or also enable both IAM and IP-based access.

With the following access policy, I was able to get both IAM and IP-restricted access.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.168.1.0",
            "192.168.1.1"
          ]
        }
      }
    }
  ]
}

My EC2 instance has an instance profile with the arn:aws:iam::aws:policy/AmazonESFullAccess policy. Logstash uses logstash-output-amazon-es output plugin. Logstash running on the EC2 instance should have an output like this:

output {
    amazon_es {
        hosts => ["elastisearch-host"]
        region => "aws-region"
    }
    # If you need to do some testing & debugging, uncomment this line:
    # stdout { codec => rubydebug }
}

Proper access policy for Amazon Elastic Search Cluster

1 Answer

Related questions

Browse Categories