Proper access policy for Amazon Elastic Search Cluster

Question

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.

Here's an example of the access policy I currently have assigned for the ES domain:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "",

      "Effect": "Allow",

      "Principal": {

        "AWS": [

          "arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",

        ]

      },

      "Action": "es:*",

      "Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"

    }

  ]

}

But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/“}

Does anyone know what I have to change in the access policy in order for this to work?

 

Answer 1

How to view Kibana in your browser when you have locked down access to IAM-only? You can set up a proxy (NPM module or Gist) or also enable both IAM and IP-based access.

With the following access policy, I was able to get both IAM and IP-restricted access.

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"

      },

      "Action": "es:*",

      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"

    },

    {

      "Sid": "",

      "Effect": "Allow",

      "Principal": {

        "AWS": "*"

      },

      "Action": "es:*",

      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",

      "Condition": {

        "IpAddress": {

          "aws:SourceIp": [

            "192.168.1.0",

            "192.168.1.1"

          ]

        }

      }

    }

  ]

}

My EC2 instance has an instance profile with the arn:aws:iam::aws:policy/AmazonESFullAccess policy. Logstash uses logstash-output-amazon-es output plugin. Logstash running on the EC2 instance should have an output like this:

output {

    amazon_es {

        hosts => ["elastisearch-host"]

        region => "aws-region"

    }

    # If you need to do some testing & debugging, uncomment this line:

    # stdout { codec => rubydebug }

}