Configure fine-grained data access with Amazon Elasticsearch Service
Amazon Elasticsearch Service now offers fine-grained access control, which adds multiple capabilities to give you tighter control over your data. New features include the ability to use roles to define granular permissions for indices, documents, or fields and to extend Kibana with read-only views and secure multi-tenant support.
Numerous teams can share a single Amazon Elasticsearch Service domain without being able to see or modify other teams’ indices, dashboards, or visualizations, enabling greater efficiency and centralizing management. You can limit each user to only the permissions needed to perform a task.
Fine-grained access control offers two forms of authentication and authorization: a built-in user database, which makes it easy to configure usernames and passwords inside of Elasticsearch, and AWS Identity and Access Management (IAM) integration, which lets you map IAM principals to permissions.
Fine-grained access control is powered by Open Distro for Elasticsearch, an Apache 2.0-licensed distribution of Elasticsearch. To learn more about Open Distro for Elasticsearch and its security plugin, visit the project website.
Fine-grained access control is available on domains running Elasticsearch 6.7 and higher. To learn more, see the documentation.
Fine-grained access control is now available for Amazon Elasticsearch Service domains across 21 regions globally: US East (N. Virginia, Ohio), US West (Oregon, N. California), AWS GovCloud (US-Gov-East, US-Gov-West), Canada (Central), South America (Sao Paulo), EU (Ireland, London, Frankfurt, Paris, Stockholm), Asia Pacific (Singapore, Sydney, Tokyo, Seoul, Mumbai, Hong Kong), and China (Beijing – operated by Sinnet, Ningxia – operated by NWCD). Please refer to the AWS Region Table for more information about Amazon Elasticsearch Service availability.