Using Cloudfront to expose ElasticSearch REST API in read only (GET/HEAD)

Question

I want to let my clients speak directly with ElasticSearch REST API, obviously preventing them from performing any data or configuration change.

I had a look at ElasticSearch REST interface and I noticed the pattern: HTTP GET requests are pretty safe (harmless queries and status of cluster).

So I thought I can use Cloudfront as a CDN/Proxy that only allows GET/HEAD methods (you can impose such restrict it in the main configuration).

So far so good, all is set up. But things don't work because I would need to open my EC2 security group to the world in order to be reachable from Cloudfront! I don't want this, really!

When I use EC2 with RDS, I can simply allow access to my EC2 security group in RDS security groups. Why can't I do this with CloudFront? Or can I?

Ideas?

edit: It's not documented, but ES accepts facets query, which involve a (JSON) body, not only with POST, but also with GET. This simply breaks HTTP recommendation (as for RFC3616) by not ignoring the body for GET request (source). This relates because, as pointed out, exposing ES REST interface directly can lead to easy DOS attacks using complex queries. I'm still convinced though, having one less proxy is still worth it.

edit: Other option for me would be to skip CloudFront and adding a security layer as an ElasticSearch plugin as shown here

Answer 1

I ended coding with my own plugin. Surprisingly there was nothing quite like this around. No proxies, no Jetty, no Tomcat.

Just a the original ES rest module and my RestFilter. Using a minimum of reflection to obtain the remote address of the requests.

enjoy:

https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin