1

I couldn't find any confirmation or explanation of where AWS (specifically in the OpenSearch/Elasticsearch service) evaluates IAM access policies. Is policy evaluation, in the case of non-serverless services, done with the allocated system resources? For example, if I create a small Opensearch cluster exposed on the internet (no VPC) and I protect it by writing an access policy that requires access only from a list of IPs, all calls made from other IPs are still managed by my cluster, with impacting the performance (increased CPU/RAM usages)? Would a possible layer 7 DDOS attack that floods my opensearch cluster of HTTP GET requests be blocked by the access policy that deny all request made from other IPs not in list?

Trying to call an endpoint where you are not authorized, you get this in response:

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet with an explicit deny in a resource-based policy"}

Is this output generated directly by my cluster or by some external policy evaluation system?

Lu1g1D
  • 11
  • 4

1 Answers1

0

I'm not sure if it's the best way to do but here's how I solved it for testing purposes.

I just edited the security configuration as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow", // Deny to Allow
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "{domain-here}/*"
    }
  ]
}
cemilakkoc
  • 43
  • 7