7

The AWS documentation on ElasticSearch access control talks about how to grant access to the ES domains subresources while preventing changes to the domain's configuration by creating an ES domain resource policy and setting the resource to the ES domain ARN followed by /*. For example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:user/test-user"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/*"
    }
  ]
}

In this example, test-user is granted rights to perform actions on the ES domain subresources but not the ES domain configuration itself.

When provisioning an AWS ES Domain using CloudFormation, one can set the resource policy with the AccessPolicies property. There is no CloudFormation resource like AWS::Elasticsearch::DomainAccessPolicy unfortunately and it appears that the only way to set a resource policy on an ES domain is with this property.

How can one take advantage of the types of policies recommended in the access control docs if there's now way to know the ES Domain ARN to use in the Resource field, since the ES domain hasn't yet been created at the point where the access policy is defined?

I've tried referencing the DomainArn attribute of the ES domain in the resource field of the Access Policy, but understandably that doesn't work since it creates circular dependency.

The only solution I've thought of so far is to just wait until AWS updates CloudFormation to include a AWS::Elasticsearch::DomainAccessPolicy resource type.

gene_wood
  • 533
  • 6
  • 15

1 Answers1

0

The access policy attached to the ES domain does only grant access to this specific ElasticSearch domain. You should be able to safely use "Resource": "*" as it only affects the ES domain you created.

M. Glatki
  • 1,964
  • 1
  • 17
  • 33
  • Right, but by granting access to `"Resource": "*"` I grant the principal access to not only post and get against the index but also to modify the ES configuration. Quoting the AWS doc page : `The trailing /* in the Resource element is significant. Despite having full access, test-user can perform these actions only on the domain's subresources, not on the domain's configuration.` – gene_wood Oct 30 '18 at 20:21
  • Bit late to the party, but I wonder if you could use `"Resource": "*/_search"` so you don't have to mess with building the arn, but not give access to the configuration? – Brooks Apr 28 '19 at 02:13
  • 1
    Although it isn't ideal, I am at least able to confirm that you can set Resource like this: `Resource: "/*"` If I set it to just asterisk only it broke for me. – Mike Kellogg Nov 30 '20 at 22:03