When is the InvalidHostHeaderRequests metric recorded, and how does this condition affect an Amazon Elasticsearch Service domain?

Last updated: 2020-05-28

When is the InvalidHostHeaderRequests metric recorded? Also, how does this condition affect an Amazon Elasticsearch Service (Amazon ES) domain?

Resolution

The InvalidHostHeaderRequests Amazon CloudWatch metric is recorded when a request's host header value is different from the fully qualified domain name (FQDN) of the domain.

Amazon ES rejects requests that don't have a valid header if one of the following is also true:

  • The requested domain is publicly accessible.
  • The requested domain uses an open AWS Identity and Access Management (IAM) access policy, rather than a resource-based policy (such as an IP-based policy).

This means that requests are allowed and InvalidHostHeaderRequests isn't recorded if any of the following conditions are true:

  • The request has a valid host header (the host header matches the FQDN of the domain).
  • The requested domain is in a virtual private cloud (VPC). For more information, see VPC Support for Amazon Elasticsearch Service Domains.
  • The requested domain uses a resource-based policy.

Examples

Here's an example of an open access policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:Region:account-id:domain/es-domain-name/*"
        }
    ]
}

The following command uses domain.com as the host header value, which isn't a valid header for the es-domain-name domain. When this request is submitted to a publicly accessible domain with an open access policy, the InvalidHostHeaderRequests metric is recorded and the request is rejected.

$ curl -H 'Host: domain.com' es-domain-name
User is not authorized to perform this action

Use one or both of the following solutions to resolve this problem:

  • Set the appropriate value for the host header.
  • Use an IP-based access policy instead of an open access policy.

Set the appropriate value for the host header

The following example command specifies the domain name as the host header value. This is a valid request. When this request is submitted to an Amazon ES domain, the request is accepted and the InvalidHostHeaderRequests metric isn't recorded.

$ curl -H 'Host: es-endpoint' es-endpoint

Here's an example that uses an AWS endpoint URL:

curl -H 'Host: xxxxxx..es.amazonaws.com' https://xxxxxx..es.amazonaws.com

Use an IP-based access policy

Instead of an open access policy, use an access policy that restricts requests to an IP address or CIDR range. For example, the following IP-based policy allows requests in the 11.11.11.11/32 CIDR range. Requests to domains in this range are allowed, and the InvalidHostHeaderRequests metric isn't recorded, regardless of the host header value.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:region:account-id:domain/es-domain-name/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "11.11.11.11/32"
                    ]
                }
            }
        }
    ]
}