How do I resolve host header that's missing or not valid in Amazon OpenSearch Service?

Last updated: 2021-07-23

I'm getting a Not authorized error because of a host header that's invalid or missing in Amazon OpenSearch Service (successor to Amazon Elasticsearch Service). How do I resolve this?

Short description

The InvalidHostHeaderRequests metric in Amazon CloudWatch is recorded when a request's host header value is different from the fully qualified domain name (FQDN).

For the following conditions, Amazon OpenSearch Service rejects the requests that are missing valid headers:

  • The requested domain is publicly accessible.
  • The requested domain uses an open AWS Identity and Access Management (IAM) access policy, rather than a resource-based policy (such as an IP-based policy).

To prevent the InvalidHostHeaderRequests metric counter from being triggered, consider the following approaches:

Otherwise, you receive the following error:

$ curl -H 'Host: domain.com' domain-endpoint-name
User is not authorized to perform this action

Resolution

Example

Here's an example of an open access policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:Region:account-id:domain/os-domain-name/*"
        }
    ]
}

The following command uses domain.com as the host header value, which isn't a valid header for the os-domain-name domain. When this request is submitted to a publicly accessible domain with an open access policy, the InvalidHostHeaderRequests metric is recorded and the request is rejected.

$ curl -H 'Host: domain.com' os-domain-name
User is not authorized to perform this action

To resolve the "User is not authorized to perform this action" error, consider the following approaches:

  • Set the appropriate value for the host header.
  • Launch your OpenSearch Service domain using a VPC.
  • Use an IP-based access policy instead of an open access policy.
  • Use fine-grained access control (FGAC).

Tip 1: Set the appropriate value for the host header

The following example command specifies the domain name as the host header value:

$ curl -H 'Host: os-endpoint' os-endpoint

Here's an example that uses an AWS endpoint URL:

curl -H 'Host: xxxxxx..os.amazonaws.com' https://xxxxxx..os.amazonaws.com

Tip 2: Launch your OpenSearch Service domain using a VPC

Using a VPC to launch your OpenSearch Service domain provides an added layer of security. A VPC also allows you to manage access to the domain through security groups. Therefore, it's a best practice to avoid using a public endpoint to launch your domain. Although your request reaches the OpenSearch Service domain, you might receive a Not authorized error when you access the public endpoint in a web browser. For more information, see About access policies on VPC domains.

When you create a domain with VPC access, the endpoint looks like this (similar to a public endpoint):

https://vpc-domain-name-identifier.region.os.amazonaws.com

Tip 3: Use a resource-based policy

Instead of an open access policy, use a resource-based access policy that specifies IAM roles or restricts requests to an IP address or CIDR range.

For example, the following IP-based policy allows requests in the 11.11.11.11/32 CIDR range. Requests to domains in this range are allowed, and the InvalidHostHeaderRequests metric isn't recorded, regardless of the host header value.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:region:account-id:domain/os-domain-name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "11.11.11.11/32"
                    ]
                }
            }
        }
    ]
}

Tip 4: Use fine-grained access control (FGAC)

Along with resource-based access policies, you can use FGAC to manage data access to your OpenSearch Service domain. Fine-grained access control offers the following benefits:

  • Role-based access control
  • Security at the index, document, and field level
  • OpenSearch Dashboards multi-tenancy
  • HTTP basic authentication for OpenSearch Service and OpenSearch Dashboards

Because FGAC is based on roles, user credentials are evaluated when authenticating a request. If fine-grained access control authenticates the user, then the InvalidHostHeaderRequests metric isn't recorded. For more information about FGAC, see The bigger picture: fine-grained access control and OpenSearch Service security.