I don’t want all my users in Amazon Cognito to have full access to the user pools when they use the OpenSearch dashboards.
Short Description
Restricting OpenSearch data to read permissions at user level makes sure that the data remains secure, with access granted only to authorized users. Read permissions allow users to only view or read the data that OpenSearch indexed. Restricted access prevents the users from modifying, deleting, or adding any data to the OpenSearch dashboard.
Resolution
When FGAC isn't activated on your domain
When you don't have fine-grained access control (FGAC) on your OpenSearch domain, use the domain access policy of the OpenSearch cluster to restrict access. This gives read-only access to your Amazon Cognito users. Set the EsshttpGet permissions to the role associated with the Amazon Cognito sign-in.
Example GET Domain Access Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/Cognito_<identity-pool-name>Auth_Role"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:<region>:<account-id>:domain/<opensearch-domain-name>/"
}
]
}
Note: Replace <identity-pool-name> with your Amazon Cognito identity pool name and <opensearch-domain-name> with your OpenSearch domain name.
For more information, see Configuring a domain to use Amazon Cognito authentication.
After you apply the policy, test it. Send a signed request to your domain. You can now perform only GET operations on the domain.
When FGAC is activated on your OpenSearch cluster
Follow these steps:
-
Log in to the Amazon Cognito console.
-
Choose your user pool to open its configuration. Then, choose Create user.
-
Create a user named limited-user.
Note: You can use any name that you want. This name is used just to identify the read-only users.
-
Create an AWS Identity and Access management (IAM) role for the limited-user (for example, LimitedUserRole). As a primary user, use this role to assign limited access to certain users. For more information on setting up an IAM role, see Creating a role to delegate permissions to an AWS service.
-
Assign this trusted policy to the LimitedUserRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com :aud": "<identity-pool-id>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com :amr": "authenticated"
}
}
}
]
}
Note: Replace <identity-pool-id> with your Amazon Cognito identity pool ID.
-
Create a custom inline policy that gives only read permissions to the OpenSearch domain. Refer to this example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOpenSearchReadAccess",
"Effect": "Allow",
"Action": [
"es:ESHttpGet"
],
"Resource": "arn:aws:es:<region>:<account-id>:domain/"
}
]
}
-
Create a group called limited-user-group in Amazon Cognito. Then, attach the LimitedUserRole IAM role to the newly created group. For more information, see Adding groups to a user pool.
-
Choose limited-user-group. Then, add the user limited-user you created earlier to this group. Continue to add as many users as you need to this group. Members of this group have read-only permissions to the OpenSearch dashboard.
Map the limited-user to a role in the OpenSearch dashboard
- Log in to the OpenSearch dashboard as the primary user. Choose Security, and then choose Roles. You can either create a new role in the OpenSearch dashboard or map the limited-user role with an existing role in the OpenSearch dashboard.
Note: You can also try to use the readall_and_monitor or the readall inbuilt role. The permission set that you use depends on your use case.
- Select the role from the OpenSearch dashboard. Then, map the limited-user role to it.
- Log in as a limited user. Note that you can't perform any write operations on the OpenSearch dashboard.