Amazon Elasticsearch Service
Developer Guide (API Version 2015-01-01)


The following sections offer solutions to common problems that you might encounter when you use services and products that integrate with Amazon Elasticsearch Service (Amazon ES):

For information about service-specific errors, see Handling AWS Service Errors in this guide.

Kibana: I Can't Access Kibana

The Kibana endpoint doesn't support signed requests. If the access control policy for your domain only grants access to certain IAM users or roles, you might receive the following error when you attempt to access Kibana:

"User: anonymous is not authorized to perform: es:ESHttpGet"

If your Amazon ES domain uses VPC access, you might not receive that error. Instead, the request might time out. To learn more about correcting this issue and the various configuration options available to you, see Controlling Access to Kibana, About Access Policies on VPC Domains, and Amazon Elasticsearch Service Access Control.

Kibana: I Get a Browser Error When I Use Kibana to View My Data

Your browser wraps service error messages in HTTP response objects when you use Kibana to view data in your Amazon ES domain. You can use developer tools commonly available in web browsers, such as Developer Mode in Chrome, to view the underlying service errors and assist your debugging efforts.

To view service errors in Chrome

  1. From the menu, choose View, Developer, Developer Tools.

  2. Choose the Network tab.

  3. In the Status column, choose any HTTP session with a status of 500.

    For example, the following service error message indicates that a search request likely failed for one of the reasons shown in the following table:

    "Request to Elasticsearch failed: {"error":"SearchP…be larger than limit of [5143501209/4.7gb]]; }]"}"

    Potential Cause Workaround
    You reached the JVM request memory circuit breaker. The request breaker specifies the percentage of JVM memory used to respond to a service request. You can configure JVM circuit breakers to work around this failure. For more information about configuring JVM circuit breakers, see JVM OutOfMemoryError in Handling AWS Service Errors in this guide.
    You specified a generic regular expression in your Kibana dashboard, such as logstash*. Use a more restrictive regular expression, such as limiting results to a subset of indices over a time period of the last seven days.

To view service errors in Firefox

  1. From the menu, choose Tools, Web Developer, Network.

  2. Choose any HTTP session with a status of 500.

  3. Choose the Response tab to view the service response.

Domain Creation: Unauthorized Operation When Selecting VPC Access

When you create a new domain using the Amazon ES console, you have the option to select public access or VPC access. If you select VPC access, Amazon ES queries for VPC information and fails if you don't have the right policies associated with your user credentials. The error message follows:

You are not authorized to perform this operation. (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation

To enable this query, you must have access to the ec2:DescribeVpcs, ec2:DescribeSubnets, and ec2:DescribeSecurityGroups operations. This requirement is only for the console. If you use the AWS CLI to create and configure a domain with a VPC endpoint, you don't need access to those operations.

Domain Creation: Stuck at Loading After Choosing VPC Access

After creating a new domain that uses VPC access, the domain's Configuration state might never progress beyond Loading. If this issue occurs, you likely have AWS Security Token Service (AWS STS) disabled for your region.

To add VPC endpoints to your VPC, Amazon ES needs to assume the AWSServiceRoleForAmazonElasticsearchService role. Thus, AWS STS must be enabled to create new domains that use VPC access in a given region. To learn more about enabling and disabling AWS STS, see the IAM User Guide.

SDKs: I Get Certificate Errors When I Try to Use an SDK

Because AWS SDKs use the CA certificates from your computer, changes to the certificates on the AWS servers can cause connection failures when you attempt to use an SDK. Error messages vary, but typically contain the following text:

Failed to query Elasticsearch ... SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

You can prevent these failures by keeping your computer's CA certificates and operating system up-to-date. If you encounter this issue in a corporate environment and do not manage your own computer, you might need to ask an administrator to assist with the update process.

The following list shows minimum operating system and Java versions:

  • Microsoft Windows versions that have updates from January 2005 or later installed contain at least one of the required CAs in their trust list.

  • Mac OS X 10.4 with Java for Mac OS X 10.4 Release 5 (February 2007), Mac OS X 10.5 (October 2007), and later versions contain at least one of the required CAs in their trust list.

  • Red Hat Enterprise Linux 5 (March 2007), 6, and 7 and CentOS 5, 6, and 7 all contain at least one of the required CAs in their default trusted CA list.

  • Java 1.4.2_12 (May 2006), 5 Update 2 (March 2005), and all later versions, including Java 6 (December 2006), 7, and 8, contain at least one of the required CAs in their default trusted CA list.

The three certificate authorities are:

  • Amazon Root CA 1

  • Starfield Services Root Certificate Authority - G2

  • Starfield Class 2 Certification Authority

Root certificates from the first two authorities are available from Amazon Trust Services, but keeping your computer up-to-date is the more straightforward solution. To learn more about ACM-provided certificates, see AWS Certificate Manager FAQs.


Currently, Amazon ES domains in the us-east-1 region use certificates from a different authority. We plan to update the region to use these new certificate authorities in the near future.