How to access Kibana from Amazon elasticsearch service?

Question

I created Amazon elasticsearch service and populated data into it using logstash, which has been installed on an EC2 instance. On the Amazon elasticservice console page, there will be a link to access Kibana.

search-cluster_name-XXXXXXXXXXXXXXXXXXX.region_name.es.amazonaws.com/_plugin/kibana/

when I click the link, browser is throwing the following error.

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:region_name:account_id:domain/cluster_name/_plugin/kibana/"}

I'm sure that this has something related with access policy of ES domain.How should I modify my access policy so that I can access Kibana from a click on the link specified ?

Answer 1

You can setup an Access Policy with both IAM and IP-address based access. See my answer here. In short:

• EC2 instance needs a profile with the arn:aws:iam::aws:policy/AmazonESFullAccess policy
• Policy should include two statements: first list IAM access, second list IP access.

Here's an example policy (statement order is important!)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.168.1.0",
            "192.168.1.1"
          ]
        }
      }
    }
  ]
}

Answer 2

I used for that purpose proxy tool called aws-es-kibana. It signs all your requests sent to aws kibana.

IAM configuration:

I created new IAM user "elasticsearch_user" with programmatic access (and I got accessKeyId and secretAccessKey associated with that account).

Elasticsearch configuration:

I created elasticsearch policy that enables access for the new created IAM user:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::{YOUR_AWS_ACCOUNT_ID}:user/elasticsearch_user"
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-central-1:{YOUR_AWS_ACCOUNT_ID}:domain/{YOUR_ELASTICSEARCH_DOMAIN}/*"
    }
  ]
}

Connect to kibana from your local station:

To connect from my local station (windows) to kibana I just need to type in console:

SET AWS_ACCESS_KEY_ID=myAccessKeyId
SET AWS_SECRET_ACCESS_KEY=mySecretAccessKey

aws-es-kibana search-{PROTECTED_PART_OF_YOUR_ELASTICSEARCH_ENDPOINT}.eu-central-1.es.amazonaws.com

After that you should have proxied access to your kibana under: http://127.0.0.1:9200/_plugin/kibana

Answer 3

You have to configure an access policy for your elasticsearch cluster. there are two options:

1. Set up an IAM-based access policy
2. White-list certain IPs from which people can access your Kibana instance.

Option 1, using IAM based access is the better option:

• Create an IAM user, called kibana_user with programmatic access. Save the accessKeyId and the secretAccessKey. Also copy the user's ARN.
• Configure your access policy to give access to kibana_user.
  • Go to https://eu-central-1.console.aws.amazon.com/es/
  • Select your elasticsearch domain
  • Click on "Modify access policty"
  • Click on "Select a template" and use the one that's called "Allow access to one or more AWS accounts or IAM users". Enter the ARN of the kibana_user
• Unfortunately, AWS does not provide with a way to log in as that user and then connect to Kiabana. Instead, if wants you to sign the HTTP requests that you make to Kibana with that user's key. There are tools that do this for you, for example aws-es-proxy

I seriously recommend against the second option with IP-based access. Even if you have a static IP,

• everybody on that IP will have access to your data on elasticesarch
• you only have access if you are connected via that API. Not from your phone, not from home.

The only case where this makes sense is if you are running your own proxy server with its own authentication method and a static IP.