Secure your OpenSearch Development Domain using Amazon WorkSpaces

September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details.

Darin Briskman (@briskmad) is a technical evangelist at Amazon Web Services.

So you’re working with Amazon Elasticsearch Service and you’re setting up a non-production domain, using it for a development, sandbox, test, or staging environment. (If you’re new to Elasticsearch, a domain is similar to what’s called a cluster for other computing systems. It’s a collection of servers, network, and software working as a single system.) You’ll initially want to throw some data at Elasticsearch, pop off a couple of commands using curl, and check in with Kibana.

You know you should set up a secure environment, but that’s such a pain. You think you can just take the easy road and use the Open profile. Sure, it’s insecure, but this is a non-production environment, so what’s the worst that can happen?

DON’T DO IT!!!

Sadly, the modern Internet is a snakepit of malicious actors. It’s foolish to ever connect an unsecured environment to the Internet, for any reason. It’s not worth the risk. You can get problems like this and this.

There are many options for securing your Amazon Elasticsearch Service domain, as described in the documentation and in this useful blog. The easiest and quickest is through IP restriction and the IP-based profile.

Of course, this creates another problem. If you use the IP address of your workstation, it can change when you move around (like between different offices, or between home and a workplace), which requires resetting the security profile on the domain.

How can you easily work from a known IP address that doesn’t change? The quick and simple answer is to use Amazon WorkSpaces. Combined with IP-based access control, you have an always accessible non-production environment that is both easy to use and secure.

Here’s how to do it:

1. Set up a WorkSpace.
2. Create the development domain.
3. Secure the development domain.
4. Test access and security.

Go to https://aws.amazon.com, and then choose Sign In to the Console. In the AWS Management Console, open WorkSpaces.

Follow the instructions in the WorkSpaces documentation. Spend time deciding which bundle you want to use. Bundles can range from a 1 vCPU, 2 GiB bundle (Value) up to an 8 vCPU, 15 GiB + 1 GPU, 4 GiB bundle (Graphics). You also get to choose a Microsoft Windows version and other software.

You now have a WorkSpace with a consistent IP address. When you launch the WorkSpace, you can also choose the running mode: Always On or AutoStop. If you choose AutoStop, your WorkSpaces stop when you log out or after a specified period of inactivity and the state of apps and data is saved. You only pay for the hours you are signed in.

Sign into your WorkSpace and get its IP address. On Windows 10, you can get the IP address from Settings > Network & Internet > Ethernet or you can open a cmd window and use ipconfig.

Next, go back to the AWS Management Console and choose Elasticsearch Service. Set up a domain that meets your requirements. On Set up access policy, choose Allow access to the domain from specific IP(s).

The wizard will open a pop-up, where you can enter the IP address of your WorkSpace:

That’s it! After you have created your domain, you can access it from your WorkSpace and it’s closed to the Internet.

You should, of course, test to be sure that you can access your Amazon Elasticsearch Domain from your WorkSpace and not from any other systems.

Now you can either do your development work directly on the WorkSpace, or you can use your favorite development system and just copy your work to the WorkSpace as a staging system to get to Elasticsearch. Either way, you now have a secure development environment.

Have fun with Amazon Elasticsearch Service!