AWS ElasticSearch Service Plus Cognito How To Put It All Together

Purpose

The purpose of this document is to have a "One Stop" place to set up an AWS ElasticSearch Service and connect it to AWS Cognito Service for User Authentication. This document will be using the CloudFormation Templates that you can find in this repo (will be linked) and the end-to-end steps to get it all set up and working.

Notes about this setup:

1. This will configure the ESS Domain in the PUBLIC access area and NOT inside the VPC
2. This guide is NOT meant to explain every little detail, but walk you through successfully setting up everything and stitching it all together
3. Templates - There are YAML and JSON versions, the YAML have comments, the JSON are just pure templates
4. You will need elevated permissions to perform all of these actions to complete this process (if you are Admin or PowerUser, you are all set)

AWS ElasticSearch Service - Public

Template

• Template Location (you can use either the YAML or JSON version) - ESS Public Domain Template
• Template Documentation (you can use either the YAML or JSON version) - ESS CloudFormation Template Docs

You will need to note the following:

• ElasticSearch Service Domain ARN

AWS Cognito For ElasticSearch

Template

• Template Location (you can use either the YAML or JSON version) - Cognito Template
• Template Documentation (you can use either the YAML or JSON version) - Cognito Service CFN Template

You will need to note the following:

• Cognito User Pool Name
• Cognito Identity Pool Name
• Cognito Auth Role ARN (will look like: arn:aws:iam:::role/<cognito_name>-CognitoAuthorizedRole-<random_string>)

Let's Stitch It All Together

NOTE: Be sure that the ElasticSearch Service is in ACTIVE (green) mode before you start making any of these changes. After every modification to the ESS Domain, you will need to wait for the stack to go from Processing to Active before you can move on!

Configure Cognito Pools For Use

Create Domain Name

In order to use your new Cognito Service and stitch it all up with ESS, you will need to create a Domain Name for the Cognito Service. You do NOT need to use an external domain unless you want too, you can use an "AWS Cognito Domain" that can be assigned by AWS.

Example:

prodleasticsearchdomain.auth.us-west-2.amazoncognito.com

The 'prodleasticsearchdomain' part of the domain is the name you assign above, the rest is given by AWS

• Click on Check Name in order to verify that it is available and click Submit

Create Cognito User

*In your Console, navigate to Security, Identity, & Compliance > Cognito

• Click on Manage User Pool
• Click on Users and Groups
• Click on Create User

What you see at this point will all be dependant on how you set up your user requirements in the template, but create the user account according to the user/password policies you configured

At this point, you will receive and email with your temporary password in it. move onto the next steps in order to finish the configuration

Activate Cognito on your ESS Domain

• Navigate to your AWS Console and log in
• In the Console, Navigate to Analytics > ElastsicSearch Service
• Verify Domain Status is Active
• Click Configure Cluster
• Scroll down to Amazon Cognito authentication
• Check the box for Enable Amazon Cognito authentication
• Select your Region, Cognito User Pool and Cognito Identity Pool from the drop down lists
• For IAM Role Name and Role Policy, leave this default (CognitoAccessForAmazonES) and this Role will be created if it does not already exist
• Click Submit

The Domain will now go into Processing mode and you will want to wait for it to update to Active. This can take several minutes to complete

• Once the processing has completed, click on the Modify Access Policy button and delete the IP Policy that is currently there (this was created by the CloudFormation Template)
• Insert the following policy (replace the details below with information gathered above):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account>:role/<cognito_name>-CognitoAuthorizedRole-<random_string>"
      },
      "Action": "es:ESHttp*",
      "Resource": "arn:aws:es:us-west-2:<account>:domain/<search_domain_name>/*"
    }
  ]
}

• Click Submit and wait for the domain to go from Processing to Active. This can take several minutes to complete

NOTE: At this point, you will no longer be able to access Kibana until you log in and update your password!!

• Navigate to your Kibana URL for your domain and you should be presented with a Login Prompt
• Log in using your username and temporary password
• You will be prompted to change your password

Once all if this has been completed, you will now be able to access Kibana using your user account.

Additional Security

If you want to lock your ElasticSearch Domain down further, you can also add to the Access Policy with something similar to the following:

(This policy enables user account access via Cognito as well as locking Logins only from specified IP's)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account>:role/<cognito_name>-CognitoAuthorizedRole-<random_string>"
      },
      "Action": "es:ESHttp*",
      "Resource": "arn:aws:es:us-west-2:<account>:domain/<search_domain_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.168.1.1/32",
            "192.168.2.1/32",
            "192.168.3.1/32"
          ]
        }
      }
    }
  ]
}

The above policy will still display the login page, but when you are off-network you will get an Access Denied error when logging in.