0

I am trying to avoid having to implement fine-grained ElasticSearch policy until we absolutely need it since it is irreversible. So, I am implementing a Domain JSON defined access policy with the conditions noting the IpAddress allowed or denied. This is for requests through a browser to the Kibana dashboard, so this needs to work through unsigned requests.

Looking at Identity and Access Management in Amazon OpenSearch Service, I understand that I should be able to limit by domain, index, and documents by desired actions (i.e. GET, POST, PUT, etc) for whichever IpAddress. However, unless I have it wide open by domain, I keep getting the error message:

"User: anonymous is not authorized to perform: es:ESHttpGet because no resource-based policy allows the es:ESHttpGet action"

My Access Policy doesn't look like it has any syntax error in it to me. I am wondering if there is a setting I need to set to allow this that I am missing. I haven't found any reference to any such thing so far, unless I overlooked it.

My Access Policy looks something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:region:id:domain/domainname/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "123.123.123.123",
            "456.456.456.456"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:ESHttpGet",
      "Resource": "arn:region:id:domain/domainname/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "789.789.789.789"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:ESHttpGet",
      "Resource": "arn:region:id:domain/domainname/indexname1/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "120.450.780.230"
          ]
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:ESHttpGet",
      "Resource": "arn:region:id:domain/domainname/indexname2/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "120.450.780.230"
          ]
        }
      }
    }
  ]
}

It is anything but the first Effect clause, which is wide open, that gives me the error message. I don't know what I am missing. It looks virtually identical to the documentation.

I am also trying to prevent the deletion of the indexes and data through this access policy and haven't found that syntax.

Thanks for your help in advance.

Jennifer Crosby
  • 185
  • 1
  • 1
  • 14

0 Answers0