Background
Wiring
I have an Elasticsearch cluster on AWS Elasticsearch Service. It has a Kibana endpoint enabled. Cognito provides the AWS role based on the user's group.
Cognito groups and AWS roles
The AWS role that is set to the group viewer by AWS Cognito is arn:aws:iam:123:role/kibana-viewer.
The AWS role that is set to the group admin by AWS Cognito is arn:aws:iam:123:role/kibana-admin.
Desired restriction
Only admin group should have access to a specific index pattern when using Kibana to view the data. The limited index Elasticsearch pattern is secret-*.
The viewer group should not be able to access secret-* via Kibana.
Question
How can I prevent only the role arn:aws:iam:123:role/kibana-viewer from accessing secret-* index pattern in the AWS Elasticsearch cluster?
What I have tried
First attempt
Setting the following statement in access policy:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:123:role/kibana-viewer"
},
"Action": "es:*",
"Resource": "arn:aws:es:my-region:123:domain/my-domain/*"
}
The viewer was able to access index secret-1.
Second attempt
Setting the above Resource to arn:aws:es:my-region:123:domain/my-domain/secret-*, a viewer can't login due to:
User: x:x:x::xx:x is not authorized to perform: es:ESHttpGet
Third attempt
Setting both statements:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam:123:role/kibana-viewer"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:my-region:123:domain/my-domain/secret-*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:123:role/kibana-viewer"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:my-region:123:domain/my-domain/*"
}
A viewer can login to Kibana but can't see any data due to 403 error on API call _plugin/kibana/api/saved_objects/?type=index-pattern&per_page=10000.
I was not able to solve it using AWS Elasticsearch.
However, I was able to get the desired result usin Open Distro for Elasticsearch on EC2. Also wrote a detailed blog post about it.
Related
I created an IAM Identity Center permission set and group. The permission set attached to the group only allows the users inside the group to view CloudWatch logs generated by a specific account (our Crypto account), the statement looks like this:
Note: The statement with the ID "DescribeCryptoTrail" limits the user to only view logs from our Crypto account.
"Statement":
{
"Sid": "DescribeCryptoTrail",
"Action": "logs:GetLogEvents",
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
}
This works well since the user gets a permission denied error when he tries to view logs from a different account, but now my concern is how do I limit access to the queries the users can return in CloudWatch Logs Insights? For example, the users in the Crypto-Access group should only be able to return queries that were generated by the Crypto account.
So far, I have tried using statements such as:
{
"Sid": "AdditionalPermissions",
"Action": [
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
]
},
{
"Sid": "AdditionalPermissionsTwo",
"Action": [
"logs:DescribeQueryDefinitions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:ORG-ID_CRYPTO-ACCOUNT-ID_CloudTrail_eu-west-*"
]
}
This is a similar approach as to what worked for granting access to the CloudWatch logs, but this time it seems I need to grant access to the entire log group judging from the error:
not authorized to perform: logs:FilterLogEvents on resource: arn:aws:logs:eu-west-1:ACCOUNT-ID:log-group:aws-controltower/CloudTrailLogs:log-stream:* because no identity-based policy allows the logs:FilterLogEvents action
This indicates that I need to provide access to the main log group, I can't limit it to a specific path in the log group.
Is there any other way I can force query results based on the IAM policy, or maybe a way I can require a user to include a filter in the query such as filter recipientAccountId = "CRYPTO-ACCOUNT-ID"
Thanks in advance
I am trying to connect my EC2 instance to my ES domain and keep getting the following error:
AuthorizationException(403, 'security_exception', 'no permissions for [indices:data/read/search] and User [name=arn:aws:iam::ACCOUNT_ID:role/my-role, backend_roles=[arn:aws:iam::ACCOUNT_ID:role/my-role], requestedTenant=null]')
Elasticsearch configuration:
public domain
fine-grained access control via IAM
access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_ID:role/my-role"
},
"Action": "es:*",
"Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/test/*"
}
]
}
EC2 Configuration:
using IAM role my-role
with permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
All HTTP requests sent from EC2 to ES are being signed. I have already verified signing works: if I use the security credentials of the IAM user that I also set as the IAM ARN master user when setting up my ES domain the requests between EC2 and ES work as expected.
The issue might be with fine-grained access control in ES. Same issue is mentioned here
If you want to connect to same ES cluster with FGAC from EC2 instance then you need to map EC2 IAM role with backend kibana roles. First you need to login to kibana with master user and then follow steps from doc to map EC2 IAM role to kibana 'all_access' role
My AWS Elasticsearch domain have access policy like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxxxxx:user/some-user"
]
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-south-1:xxxxxxxxxxxx:domain/some-cluster/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "0.0.0.0/0"
}
}
}
]
}
Even with this policy I am not able to access kibana.
Does AWS ES have done some change in their access policies?
You can't access ES directly with just the link having this policy. The reason is that you must sign your requests with valid sigv4 signature. Every request to ES, due to your policy, must be signed by some-user that can only access it.
This is to ensure that only that user can access it, as you specified in the policy. For this reason you can't use kibana. From docs:
Kibana does not natively support IAM users and roles
You have to access your ES programmatically, so that you can sign the requests. A popular tool for that is aws-requests-auth for python.
{
"Version": "2012-10-17",
"Id": "Policy1612574490300",
"Statement": [
{
"Sid": "Stmt1612574488073",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:ec2:us-east-1:258977512672:instance/i-041123c1993c370ba"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
response is Invalid Principal. I dont see why it's invalid.
An EC2 instance isn't a valid principal. I think what you actually need to do here is use the ARN of the IAM role assigned to the EC2 instance.
You can specify following Principal in a policy
AWS account and root user
IAM users
Federated users (using web identity or SAML federation)
IAM roles
Assumed-role sessions
AWS services
Anonymous users (not recommended)
S3 Documentation Principal
AWS JSON policy elements: Principal
If you wanna give that instant access to the bucket then you can use Instance profiles
I have been looking to find out how it would be possible to use AWS cognito groups to restrict access to API endpoints based on cognito group policies.
I have created the ID pool with user pool.
Added a cognito group policy then associated it to an IAM policy.
In the policy it gives access to the API gateway endpoint ARN
There is an authorizer which uses the AWS cognito pool
The issue is that if a cognito user has not been added to the group in cognito then they should not have access to the API gateway endpoint. Currently it still allows access when the group has not been assigned to that user.
Here is my policy, which is set in the cognito group.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-1:0:xxxx/*/*/*"
},
{
"Effect": "Allow",
"Action": [
"cognito-sync:*"
],
"Resource": "arn:aws:cognito-sync:eu-west-1:x:identitypool/eu-west-2:0"
}
]
}
Thankyou