By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

OpenSearch - lost connection from bastion when enabled Fine-grained access control

0

I have 2 OpenSearch domains in my account, both in the same vpc inside private subnet. The way i connec to both of them was via Bastion + port forwarding, so the bastion is publicly open and it would also be inside the Opensearch cluter network. this worked fine, until i enabled Fine-grained access control in one of my domains. from that moment, my services and i can no longer access this domain. logging into the bastion machine. nslookup on the domain will retreive the IP of the endpoint. but tried network connection via 443 im getting blocked. nothing changed on configuration of security group / inbound or outbound rules. the second domain which i havent enabled fine grain - i can still access with no problem. any assist would be great

  • Oleksii Bebych EXPERT
    6 days ago

    please accept the answer if it was useful

Topics
Networking & Content DeliveryServerlessAnalytics
Tags
Amazon VPCAmazon OpenSearch Service
Language
English
Shahar
asked 14 days ago92 views
1 Answer
0

Fine-grained access control offers additional ways of controlling access to your data on Amazon OpenSearch Service. For example, depending on who makes the request, you might want a search to return results from only one index. You might want to hide certain fields in your documents or exclude certain documents altogether.

  • Fine-grained access control offers the following benefits:
  • Role-based access control
  • Security at the index, document, and field level
  • OpenSearch Dashboards multi-tenancy
  • HTTP basic authentication for OpenSearch and OpenSearch Dashboards

https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html

After you enable FGAC, you also need authentication in addition to networking connectivity (security group is open, as you said)

Here is an example of OpenSearch Access Policy, that allows access from IP range 192.0.2.0/24 for all AWS principals

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "es:ESHttp*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.0.2.0/24"
          ]
        }
      },
      "Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/*"
    }
  ]
}

https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html

profile picture
EXPERT
Oleksii Bebych
answered 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content