How can I access Kibana from outside of a VPC using Amazon Cognito authentication?

Last updated: 2020-12-23

My Amazon Elasticsearch Service cluster is in a virtual private cloud (VPC). How can I access the Kibana endpoint from outside the VPC using Amazon Cognito authentication?

Resolution

Use one of the following methods to access Kibana from outside a VPC with Amazon Cognito authentication:

Use an SSH tunnel

For more information, see How can I use an SSH tunnel to access Kibana from outside of a VPC with Amazon Cognito authentication?

  • Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
  • Disadvantages: Requires client-side configuration and a proxy server.

Use an NGINX proxy

For more information, see How can I use an NGINX proxy to access Kibana from outside of a VPC with Amazon Cognito authentication?

  • Advantages: Setup is easier, because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
  • Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.

(Optional) If fine-grained access control (FGAC) is enabled, add an Amazon Cognito authenticated role

If fine-grained access control (FGAC) is enabled on your Elasticsearch cluster, you might encounter a missing role error. To resolve the missing role error, perform the following steps:

1.    Sign in to your AWS Management Console.

2.    Under Analytics, choose Elasticsearch Service.

3.    Choose Actions.

4.    Choose Modify master user.

5.    Choose Set IAM ARN as your master user.

6.    In the IAM ARN field, add the Amazon Cognito authenticated ARN role.

7.    Choose Submit.

For more information about fine-grained access control, see Tutorial: IAM master user and Amazon Cognito.

Use VPN

For more information, see What is AWS Site-to-Site VPN.

  • Advantages: Secure connection between your on-premises equipment and your VPCs. Uses standard TCP and UDP for TLS VPN.
  • Disadvantages: Requires VPN setup and client-side configuration.

Note: To allow or restrict access to resources, you must modify the VPC network configuration and the security groups associated with the Elasticsearch domain. For more information, see Testing VPC domains.