I receive a "Not authorized" error for my host header in Amazon OpenSearch Service. Or, Amazon CloudWatch records the InvalidHostHeaderRequests metric for my requests.
Short description
When a host header is missing or not valid, you encounter the following error: "'Host: domain.com' domain-endpoint-nameUser is not authorized to perform this action".
When a request's host header value is different from the fully qualified domain name (FQDN), CloudWatch records the InvalidHostHeaderRequests metric.
OpenSearch Service rejects requests that are missing valid headers for the following reasons:
- The requested domain is publicly accessible.
- The requested domain uses an open AWS Identity and Access Management (IAM) access policy instead of a resource-based policy.
To avoid host headers that aren't valid, take one or more of the following actions:
Resolution
Update the host header to a valid host header
To specify the domain name as the host header value, run the following command:
$ curl -H 'Host: os-endpoint' os-endpoint
Note: Replace os with your host header value.
The following example now has a valid host header within an AWS endpoint URL:
curl -H 'Host: abcdef..os.amazonaws.com' https://abcdef..os.amazonaws.com
Use a VPC to launch your OpenSearch Service domain
VPCs provide an added layer of security. A VPC also allows you to manage access to the domain through security groups.
Note: It's a best practice not to use a public endpoint to launch your domain. If you access the public endpoint in a web browser with a VPC, then you might receive a Not authorized error. For more information, see About access policies on VPC domains.
When you create a domain with VPC access, the endpoint looks similar to .
Use a resource-based policy
Replace an open access policy with a resource-based policy that specifies IAM roles or restricts requests to an IP address or CIDR range.
Example resource-based policy that restricts requests to an IP address:
{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:region:account-id:domain/os-domain-name/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"`10.24.34.0`/32"
]
}
}
}]
}
Note: Replace 10.24.34.0/32 with your CIDR range.
Your domain now allows all requests within this CIDR range. For these requests, CloudWatch doesn't record the InvalidHostHeaderRequests metric regardless of the host header value.
Use fine-grained access control
Activate fine-grained access control to manage data access to your OpenSearch Service domain.
Fine-grained access control evaluates user credentials when it authenticates a request. If fine-grained access control authenticates the user, then CloudWatch doesn't record the InvalidHostHeaderRequests. For more information, see The bigger picture: fine-grained access control and OpenSearch Service security.
Related information
Creating and managing Amazon OpenSearch Service domains
How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?
Identity and access management in Amazon OpenSearch Service