How can I delegate Amazon Elasticsearch access across AWS Accounts using IAM Roles?

Last updated: 2021-02-25

I would like to share the Amazon Elasticsearch Service (Amazon ES) resources in my account with users in a different account. How can I do this?

Short description

The easiest way to enable cross account access for your Amazon ES domain is to set up cross account control using an AWS Identity and Access Management (IAM) role. By adding an IAM role in the target account, you can allows users from trusted accounts to access the Amazon ES domain under the target account. In this way, different users in your organization can access and manage the central logging Amazon ES station by switching IAM roles in the AWS console.

For users to access your Amazon ES resources using an IAM role, the process is as follows:

  1. Create a Role in Account A that is allowed to access the target Amazon ES domain.
  2. Create a User under Account B that is allowed to assume a role in Account A.
  3. Grant access to users in Account B to use role to access the target Amazon ES domain by switching roles.

Note: Account A is the account which has the target Amazon ES domain. Account B is the accounts from which users access the central logging station.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Create a Role and grant permissions to manage the Amazon ES domain

In this example, we create a role called CrossAccount-test and grant full permissions to manage the Amazon ES domain test.

{
    "Version": "2012-10-17",
    "Statement": [
       
        {
            "Effect": "Allow",
            "Action": [
               
        "es:*"
            ],
            "Resource": “arn:aws:es:<Region>:<Account A-ID>:domain/test/*"
       
        }
    ]
}

Edit the trust relationship of role

Next, edit the trust relationship of the role CrossAccount-test.

Note: Change the account number and user name accordingly

{
 
        "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service":
        "es.amazonaws.com",
        "AWS": [
          "arn:aws:iam::<Account B-ID>:root",

         
        "arn:aws:iam::<Account B-ID>:user/<User Name>"
        ]
      },
      "Action": "sts:AssumeRole"
   
        }
  ]
}

In Steps 1 and 2, you define the user in Account B as a trusted entity and grant full permissions to allow trusted users to access the Amazon ES domain in Account A.

Grant access to users in Account B

In Account B, create a user/group with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": {
       
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<Account A-ID>:role/<CrossAccount-test>"
   
        }
}

When you add this policy statement, you allow the AssumeRole action on the CrossAccount-test role in Account A.

Note: Be sure that you change ACCOUNT A-ID in the Resource element to your AWS account ID for Account A.

Edit Amazon ES access policy to allow role to access the domain

At this point, you have trusted Account B to assume the role in Account A. Next, allow this role to access the Amazon ES domain.

Edit the Amazon ES access policy and enter the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
     
        "Principal": {
        "AWS": [
          "arn:aws:iam::<Account A-ID>:role/<CrossAccount-test>"
       
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:<region>:<Account A-ID>:domain/<Domain Name>/*"
   
        }
  ]
}

Test Access by switching roles

Now that you have enabled cross-account support, switch roles to test the access:

  1. Copy the CrossAccount-test arn to your clipboard.
  2. Log in to Account B using the AWS console.
  3. From the User tab, chose Switch Role in the drop-down list.
  4. On the Switch Role page, enter the account ID for Account A and the role name. In this example, the role name is CrossAccount-test.
  5. Choose Switch Role.

Note: If Account B needs to work in the Account A environment at the command line, you can switch role using the AWS CLI. For more information, see Switch roles (AWS CLI).

Your user permissions immediately switch to those permitted by the role you created under Account A. By setting up your cross-account access in this way, your users don't need to create individual IAM users under different accounts. You also don't have to sign out of one account and sign into another in order to access a resource. 


Did this article help?


Do you need billing or technical support?