How do I resolve host header that's missing or not valid in Amazon OpenSearch Service?

Last updated: 2021-07-23

I'm getting a Not authorized error because of a host header that's invalid or missing in Amazon OpenSearch Service (successor to Amazon Elasticsearch Service). How do I resolve this?

Short description

The InvalidHostHeaderRequests metric in Amazon CloudWatch is recorded when a request's host header value is different from the fully qualified domain name (FQDN).

For the following conditions, Amazon OpenSearch Service rejects the requests that are missing valid headers:

The requested domain is publicly accessible.
The requested domain uses an open AWS Identity and Access Management (IAM) access policy, rather than a resource-based policy (such as an IP-based policy).

To prevent the InvalidHostHeaderRequests metric counter from being triggered, consider the following approaches:

Use a valid host header (the host header must match the FQDN of your OpenSearch Service domain).
Launch your OpenSearch Service domain using a virtual private cloud (VPC).
Use a resource-based policy (that restricts IP addresses or specifies IAM roles).
Enable fine-grained access control (FGAC).

Otherwise, you receive the following error:

$ curl -H 'Host: domain.com' domain-endpoint-name
User is not authorized to perform this action

Resolution

Example

Here's an example of an open access policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:Region:account-id:domain/os-domain-name/*"
        }
    ]
}

The following command uses domain.com as the host header value, which isn't a valid header for the os-domain-name domain. When this request is submitted to a publicly accessible domain with an open access policy, the InvalidHostHeaderRequests metric is recorded and the request is rejected.

$ curl -H 'Host: domain.com' os-domain-name
User is not authorized to perform this action

To resolve the "User is not authorized to perform this action" error, consider the following approaches:

Set the appropriate value for the host header.
Launch your OpenSearch Service domain using a VPC.
Use an IP-based access policy instead of an open access policy.
Use fine-grained access control (FGAC).

Tip 1: Set the appropriate value for the host header

The following example command specifies the domain name as the host header value:

$ curl -H 'Host: os-endpoint' os-endpoint

Here's an example that uses an AWS endpoint URL:

curl -H 'Host: xxxxxx..os.amazonaws.com' https://xxxxxx..os.amazonaws.com

Tip 2: Launch your OpenSearch Service domain using a VPC

Using a VPC to launch your OpenSearch Service domain provides an added layer of security. A VPC also allows you to manage access to the domain through security groups. Therefore, it's a best practice to avoid using a public endpoint to launch your domain. Although your request reaches the OpenSearch Service domain, you might receive a Not authorized error when you access the public endpoint in a web browser. For more information, see About access policies on VPC domains.

When you create a domain with VPC access, the endpoint looks like this (similar to a public endpoint):

https://vpc-domain-name-identifier.region.os.amazonaws.com

Tip 3: Use a resource-based policy

Instead of an open access policy, use a resource-based access policy that specifies IAM roles or restricts requests to an IP address or CIDR range.

For example, the following IP-based policy allows requests in the 11.11.11.11/32 CIDR range. Requests to domains in this range are allowed, and the InvalidHostHeaderRequests metric isn't recorded, regardless of the host header value.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:region:account-id:domain/os-domain-name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "11.11.11.11/32"
                    ]
                }
            }
        }
    ]
}

Tip 4: Use fine-grained access control (FGAC)

Along with resource-based access policies, you can use FGAC to manage data access to your OpenSearch Service domain. Fine-grained access control offers the following benefits:

Role-based access control
Security at the index, document, and field level
OpenSearch Dashboards multi-tenancy
HTTP basic authentication for OpenSearch Service and OpenSearch Dashboards

Because FGAC is based on roles, user credentials are evaluated when authenticating a request. If fine-grained access control authenticates the user, then the InvalidHostHeaderRequests metric isn't recorded. For more information about FGAC, see The bigger picture: fine-grained access control and OpenSearch Service security.

Related information

Creating and managing Amazon Opensearch Service domains

How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Identity and Access Management in Amazon OpenSearch Service

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support