Menu
Cost Optimization Monitor
Cost Optimization Monitor

Security

The AWS Cloud provides a scalable, highly reliable platform that helps customers deploy applications and data quickly and securely. When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This shared model can reduce your operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate. In turn, you assume responsibility and management of the guest operating system (including updates and security patches), other associated applications, as well as the configuration of the AWS-provided security group firewall. For more information about security on AWS, visit the AWS Security Center.

Security Groups

The security groups created in this solution are designed to control and isolate network traffic between the Amazon EC2 instance and your Amazon ES domain. Traffic to port 22 and port 80 is restricted to the range specified in the Access CIDR Block AWS CloudFormation parameter. The security group for the Amazon ES domain is restricted to allow traffic from only the solution’s Amazon EC2 instance. We recommend that you review the security groups and adjust access settings as needed once the deployment is up and running.

Additional Security Settings

An Nginx proxy is added to the architecture to enable strict security controls and limit the exposure of data stored in Amazon ES. The proxy server acts as an intermediary between the Kibana client web browser and the Amazon ES domain endpoint, filtering requests and then forwarding them to Amazon ES from a single, authenticated IP address.

The proxy server uses two security mechanisms to handle inbound requests from Kibana: authentication (user name and password) and IP restriction (security group). When an end user attempts to access the domain dashboard, a login prompt appears. The Kibana client forwards the user name and password along with the requester’s source IP address to the proxy server for evaluation. If the credentials match and the source IP address is within the approved range, the proxy server then passes the request to the Amazon ES endpoint. When the Amazon ES endpoint has responded, the proxy server returns that information to the client's web browser.

Note that Kibana is JavaScript based and, therefore, all requests that it forwards originate from unauthenticated end-user IP addresses. Customers can configure IP-based access policies from Amazon ES domain endpoints, however these endpoints require Signature Version 4 signing to grant access to the service. This makes it burdensome to manage requests from Kibana directly in Amazon ES, as customers would need manage a whitelist of individual IP addresses. The Nginx proxy server simplifies the management of inbound traffic while providing an authenticated, single origin for all requests to Amazon ES. For more information, see How to Control Access to Your Amazon Elasticsearch Service Domain in the AWS Security Blog.