1

We created an admin user in our amazon account with full access to elasticsearch service. Nonetheless, when the user want to open the es dashboard, we get this error:

DescribeReservedElasticsearchInstances: {"Message":"User: arn:aws:iam::999999999999:user/username is not authorized to perform: es:DescribeReservedElasticsearchInstances on resource: arn:aws:es:us-east-2:999999999999:domain/* with an explicit deny"}

This is the access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::999999999999:user/username
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-2:999999999999:domain/xxxxxxx/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-2:999999999999:domain/xxxxxxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "92.116.64.341"
        }
      }
    }
  ]
}

Why can't the user access Es and how can we solve it?

stanvooz
  • 522
  • 3
  • 19
  • There is `explicit deny`. You have to find a policy which has deny statement. Maybe a SCP in your AWS org. – Marcin Aug 20 '21 at 07:35

0 Answers0