How can I make my AWS Elastic Search Service Private?

Question

{
"Version": "2012-10-17",
  "Statement": [    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxxxxxx:role/some-role"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-1:xxxxxxxx:domain/theprodname/*"
    }
  ]
}

I want to set my elastic search service to private. What I mean by "private" is:

No access from outside the world (No http requests)
My own aws ec2 server can access it.

I added my aws IAM Role ARN to the principle and it turns out that I still cannot use the es service on my website.

Any idea? Thanks in advance.

I tried the answer from Proper access policy for Amazon Elastic Search Cluster. But It does not work for my case.

A.Khan · Answer 1 · 2019-01-20T00:28:19.313

1

There could be a couple of problems with your EC2 not being able to access your ES domain.

EC2 not assuming the role provided in the ES policy
You are not signing the request

Even though EC2 assuming the role defined in the ES policy but not making a signed request will get access denied.

You can avoid making signed request by using AWS ES REST API. Assuming EC2 in a VPC you can assign static IP to NAT Gateway and whitelist that IP address in your ES domain policy.

My suggestion would be enable signing request using native ES client because it is much easier than REST API.

edited Jan 20 '19 at 00:28

answered Jan 20 '19 at 00:02

A.Khan

2,920
12
17

So in conclude, we have to modify the source code to achieve this goal, right? – William Shu Jan 20 '19 at 03:05
so you weren’t signing the request? Then yes the code running on ec2 needs updating to sign ES client request. – A.Khan Jan 20 '19 at 09:22

gccodec · Answer 2 · 2019-01-20T11:04:12.100

You can setup your elasticsearch domain to works into an AMAZON VPC. This is the best way. Take a look at this: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html

The only problem with ES on VPC is that only another machine on the same VPC can contact your ES Service. Tipically this case it's solved with an EC2 that works as Jump Host.

Why this is the preferred solutions? If you leave the domain accessible by the world and setup a restriction policy to enable the access to some IAM Role or IP this works as expected and no one can access to you data but all the world can contact your domain because is a public domain, so you expose the ES service at possible ddos attach. With a VPC solution only VPC partecipant can contact your service endpoint.

Another practice if you must use your ES from an application is to design an API to access your ES data with AWS Elastic Beanstalk with Load balancer set to public and instances that run the application on the VPC. On this case is the Load Balancer of the ELB that will be exposed to the world and you with your API logic decide who can call or not.

How can I make my AWS Elastic Search Service Private?

2 Answers2