AWS Elasticsearch Service - How to authenticate ES endpoint with AWS Cognito? - amazon-web-services

I'm creating a search service on AWS Elasticsearch and it's only for internal users, so I have to authenticate the users through a Cognito User Pool.
I found the an article on AWS to Configuring Amazon Cognito authentication for Kibana in here: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html. But it's only for Kibana, I still can't access the Search Endpoint to do searching.
Please help to advise on how to use the AWS Elastic Search API with the auth token from Cognito.
Thanks

Related

Can AWS Glue connect to Elasticsearch using IAM authentication?

Followed this tutorial: https://docs.aws.amazon.com/glue/latest/ug/tutorial-elastisearch-connector.html
I know using this connector can connect to Aws Elasticsearch, but this still needs AWS Secrets Manager to store the username and password.
Is it possible to use IAM authentication to connect to Elasticsearch, rather than username & password?
is it possible to use IAM authentication
No, unfortunately.
The Elasticsearch Connector for AWS Glue does not currently support IAM authentication & only supports username and password as an authentication mechanism.

AWS OpenSearch OpenIdConnect as Authentication Method

I am trying to add an authentication method to AWS OpenSearch.
By default it comes with basic auth with internal db,
I would like to configure Security Plugin with a second authentication mechanism OpenId Connect
Documentation says to use Update Security Configuration , which doesn't seem to be allowed by AWS.
tried PUT _plugins/_security/api/securityconfig and PUT _plugins/_security/api/securityconfig/authc both seems to be failing with {"Message":"Your request: '/_plugins/_security/api/securityconfig/authc' is not allowed."}
Is there an alternative, all I want to do is , use JWT Token(from OpenID Connect Cognito) to run OpenSearch _search API, rather than using internal database basic auth or IAM Role from Federated Pool.
AWS Opensearch has blocked apis for updating security configuration which is why you see the error. The documentation you have linked is applicable when using opensearch security plugin for your self hosted opensearch service and not AWS hosted solution.
I am not sure if this will be helpful to you but this blog does talk about using OpenId Connect along with AWS Cognito for opensearch auth: https://aws.amazon.com/blogs/apn/use-amazon-opensearch-service-with-kibana-for-identity-federation-auth0/

Can we authenticate application user with on-premise directory services with AWS Lambda?

Am looking for authentication methods with our on-premise directory other than AWS Cognito user pool. I saw Lambda can be integrated with Azure AD. Our directory is SAML integrated. Can i achieve this with AWS Lambda function.? And how can i get access tokens to authorize API Gateway after authentication. If Possible, Please let me know how to achieve. Thanks in Advance.

AWS Cognito with non-AWS Resources

My question is about AWS Cognito Security Services- can AWS Cognito be used for any resources outside AWS Cloud e.g an API developed published on Apigeea API Gateway?
I searched through AWS Documents and on Google
I want to create SSO with AWS Cognito like SAML-based SSO federation where Resources/ Services can be anywhere.
Yes, You can. Kindly see the App Clinet option in Cognito.
However, Apigee also needs to have the capability to integrate.

How to Configure AWS API GATEWAY with cognito user pool authentication?

Trying to configure AWS API Gateway with AWS Cognito userpool authentication.
Tried some of the settings provided on aws documentation and trying to check this API from Postman client.
Not able check what setting need to be done at postman side and any specific configuration needs to be done at API and Cognito.
Thanks