How can I access OpenSearch Dashboards from outside of a VPC using Amazon Cognito authentication?
Last updated: 2021-09-10
My Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) cluster is in a virtual private cloud (VPC). How can I access the OpenSearch Dashboards endpoint from outside of the VPC using Amazon Cognito authentication?
Use one of the following methods to access OpenSearch Dashboards from outside of a VPC with Amazon Cognito authentication:
Use an SSH tunnel
- Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
- Disadvantages: Requires client-side configuration and a proxy server.
Use an NGINX proxy
- Advantages: Setup is easier, because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
- Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.
(Optional) If fine-grained access control (FGAC) is enabled, add an Amazon Cognito authenticated role
If fine-grained access control (FGAC) is enabled on your OpenSearch Service cluster, you might encounter a missing role error. To resolve the missing role error, perform the following steps:
1. Sign in to your AWS Management Console.
2. Under Analytics, choose OpenSearch Service.
3. Choose Actions.
4. Choose Modify master user.
5. Choose Set IAM ARN as your master user.
6. In the IAM ARN field, add the Amazon Cognito authenticated ARN role.
7. Choose Submit.
For more information about fine-grained access control, see Tutorial: IAM master user and Amazon Cognito.
For more information, see What is AWS Site-to-Site VPN.
- Advantages: Secure connection between your on-premises equipment and your VPCs. Uses standard TCP and UDP for TLS VPN.
- Disadvantages: Requires VPN setup and client-side configuration.
Note: To allow or restrict access to resources, you must modify the VPC network configuration and the security groups associated with the OpenSearch Service domain. For more information, see Testing VPC domains.