The following command uses domain.com as the host header value, which isn't a valid header for the os-domain-name domain. When this request is submitted to a publicly accessible domain with an open access policy, the InvalidHostHeaderRequests metric is recorded and the request is rejected.
$ curl -H 'Host: domain.com' os-domain-name
User is not authorized to perform this action
To resolve the "User is not authorized to perform this action" error, consider the following approaches:
Set the appropriate value for the host header.
Launch your OpenSearch Service domain using a VPC.
Use an IP-based access policy instead of an open access policy.
Tip 2: Launch your OpenSearch Service domain using a VPC
Using a VPC to launch your OpenSearch Service domain provides an added layer of security. A VPC also allows you to manage access to the domain through security groups. Therefore, it's a best practice to avoid using a public endpoint to launch your domain. Although your request reaches the OpenSearch Service domain, you might receive a Not authorized error when you access the public endpoint in a web browser. For more information, see About access policies on VPC domains.
When you create a domain with VPC access, the endpoint looks like this (similar to a public endpoint):
Instead of an open access policy, use a resource-based access policy that specifies IAM roles or restricts requests to an IP address or CIDR range.
For example, the following IP-based policy allows requests in the 184.108.40.206/32 CIDR range. Requests to domains in this range are allowed, and the InvalidHostHeaderRequests metric isn't recorded, regardless of the host header value.