How do I resolve host header that's missing or not valid in Amazon OpenSearch Service?

4 minute read

I'm getting a Not authorized error because of a host header that's invalid or missing in Amazon OpenSearch Service. How do I resolve this?

Short description

The InvalidHostHeaderRequests metric in Amazon CloudWatch is recorded when a request's host header value is different from the fully qualified domain name (FQDN).

For the following conditions, Amazon OpenSearch Service rejects the requests that are missing valid headers:

The requested domain is publicly accessible.
The requested domain uses an open AWS Identity and Access Management (IAM) access policy, rather than a resource-based policy (such as an IP-based policy).

To prevent the InvalidHostHeaderRequests metric counter from being triggered, consider the following approaches:

Use a valid host header (the host header must match the FQDN of your OpenSearch Service domain).
Launch your OpenSearch Service domain using a virtual private cloud (VPC).
Use a resource-based policy (that restricts IP addresses or specifies IAM roles).
Enable fine-grained access control (FGAC).

Otherwise, you receive the following error:

$ curl -H 'Host: domain.com' domain-endpoint-name
User is not authorized to perform this action

Resolution

Example

Here's an example of an open access policy:

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Principal": {
			"AWS": "*"
		},
		"Action": "es:*",
		"Resource": "arn:aws:es:Region:account-id:domain/os-domain-name/*"
	}]
}

The following command uses domain.com as the host header value, which isn't a valid header for the os-domain-name domain. When this request is submitted to a publicly accessible domain with an open access policy, the InvalidHostHeaderRequests metric is recorded and the request is rejected.

$ curl -H 'Host: domain.com' os-domain-name
User is not authorized to perform this action

To resolve the "User is not authorized to perform this action" error, consider the following approaches:

Set the appropriate value for the host header.
Launch your OpenSearch Service domain using a VPC.
Use an IP-based access policy instead of an open access policy.
Use fine-grained access control (FGAC).

Tip 1: Set the appropriate value for the host header

The following example command specifies the domain name as the host header value:

$ curl -H 'Host: os-endpoint' os-endpoint

Here's an example that uses an AWS endpoint URL:

curl -H 'Host: xxxxxx..os.amazonaws.com' https://xxxxxx..os.amazonaws.com

Tip 2: Launch your OpenSearch Service domain using a VPC

Using a VPC to launch your OpenSearch Service domain provides an added layer of security. A VPC also allows you to manage access to the domain through security groups. Therefore, it's a best practice to avoid using a public endpoint to launch your domain. Although your request reaches the OpenSearch Service domain, you might receive a Not authorized error when you access the public endpoint in a web browser. For more information, see About access policies on VPC domains.

When you create a domain with VPC access, the endpoint looks like this (similar to a public endpoint):

https://vpc-domain-name-identifier.region.os.amazonaws.com

Tip 3: Use a resource-based policy

Instead of an open access policy, use a resource-based access policy that specifies IAM roles or restricts requests to an IP address or CIDR range.

For example, the following IP-based policy allows requests in the 11.11.11.11/32 CIDR range. Requests to domains in this range are allowed, and the InvalidHostHeaderRequests metric isn't recorded, regardless of the host header value.

{
	"Version": "2012-10-17",
	"Statement": [{
		"Effect": "Allow",
		"Principal": {
			"AWS": "*"
		},
		"Action": "es:*",
		"Resource": "arn:aws:es:region:account-id:domain/os-domain-name/*",
		"Condition": {
			"IpAddress": {
				"aws:SourceIp": [
					"11.11.11.11/32"
				]
			}
		}
	}]
}

Tip 4: Use fine-grained access control (FGAC)

Along with resource-based access policies, you can use FGAC to manage data access to your OpenSearch Service domain. Fine-grained access control offers the following benefits:

Role-based access control
Security at the index, document, and field level
OpenSearch Dashboards multi-tenancy
HTTP basic authentication for OpenSearch Service and OpenSearch Dashboards

Because FGAC is based on roles, user credentials are evaluated when authenticating a request. If fine-grained access control authenticates the user, then the InvalidHostHeaderRequests metric isn't recorded. For more information about FGAC, see The bigger picture: fine-grained access control and OpenSearch Service security.

Related information

Creating and managing Amazon OpenSearch Service domains

How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Identity and Access Management in Amazon OpenSearch Service

Topics

Analytics

Relevant content

Does Amazon CloudFront support HTTP 1.0 requests without the Host header?
hablutzel1
asked a year ago
How to push metrics in cloudwatch to opensearch
Accepted Answer
rePost-User-2738569
asked 10 months ago
Missing table size metrics in Cloudwatch for Amazon Keyspaces
gaborkocsis
asked 3 years ago
AWS CloudWatch metrics to OpenSearch
AWS-User-4849994
asked a year ago
ECS Service connect could not resolve host
Accepted Answer
rePost-User-3914566
asked 5 months ago
Why is OpenSearch Dashboards in red status on my Amazon OpenSearch Service domain?
AWS OFFICIALUpdated 2 years ago
How do I resolve an HTTP 503 Service Unavailable error in Amazon OpenSearch Service?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot search latency spikes in my Amazon OpenSearch Service cluster?
AWS OFFICIALUpdated 2 months ago
How do I monitor my Amazon OpenSearch Service cluster using CloudWatch alarms?
AWS OFFICIALUpdated 2 years ago
Support Automation Workflow (SAW) Runbook: Troubleshoot Amazon CloudWatch Agent
EXPERT
Maya Karalic
published a month ago