Tutorial: IAM master user and Amazon Cognito - Amazon OpenSearch Service

Tutorial: IAM master user and Amazon Cognito

This tutorial covers a popular fine-grained access control use case: an IAM master user with Amazon Cognito authentication for OpenSearch Dashboards. Although these steps use the Amazon Cognito user pool for authentication, this same basic process works for any Cognito authentication provider that lets you assign different IAM roles to different users.


This tutorial assumes you have two existing IAM roles, one for the master user and one for more limited users. If you don't have two roles, create them.

To get started with fine-grained access control

  1. Create a domain with the following settings:

    • OpenSearch 1.0 or later, or Elasticsearch 7.8 or later

    • Public access

    • Fine-grained access control enabled with an IAM role as the master user (IAMMasterUserRole for the rest of this tutorial)

    • Amazon Cognito authentication enabled for OpenSearch Dashboards. For instructions to enable Cognito authentication and select a user and identity pool, see Configuring a domain to use Amazon Cognito.

    • The following access policy:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "es:ESHttp*" ], "Resource": "arn:aws:es:region:account:domain/domain-name/*" } ] }
    • HTTPS required for all traffic to the domain

    • Node-to-node encryption

    • Encryption of data at rest

  2. Navigate to the IAM console and choose Roles.

  3. Choose IAMMasterUserRole and go to the Trust relationships tab.

  4. Choose Edit trust relationship, and ensure that the Amazon Cognito identity pool can assume the role. You should see the following statement:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "identity-pool-id" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } }] }
  5. Choose Update Trust Policy.

  6. Add the same trust policy to a second IAM role (IAMLimitedUserRole for the rest of this tutorial).

  7. Navigate to the Amazon Cognito console and choose User pools.

  8. Choose Create user, specify a user name of master-user and a password, and then choose Create user.

  9. Create another user named limited-user.

  10. Go to the Groups tab and then choose Create group.

  11. Name the group master-user-group, choose IAMMasterUserRole in the IAM role dropdown list, and then choose Create group.

  12. Create another group named limited-user-group that uses IAMLimitedUserRole.

  13. Choose master-user-group, choose Add user to group, and then add master-user.

  14. Choose limited-user-group, choose Add user to group, and then add limited-user.

  15. Go to the App integration tab. Under App clients and analytics, note the client ID for your domain.

  16. Choose Federated Identities from the left navigation pane, choose your identity pool, and then choose Edit identity pool.

  17. Expand Authentication providers, find your user pool ID and the app client ID for your domain, and then change Use default role to Choose role from token.

  18. For Role resolution, choose DENY. With this setting, users must be in a group to receive an IAM role after authenticating.

  19. Choose Save Changes.

  20. Navigate to OpenSearch Dashboards.

  21. Sign in with master-user.

  22. Choose Add sample data and add some sample flight data.

  23. Choose Security, Roles, Create role.

  24. Name the role new-role.

  25. For index permissions, specify opensearch_dashboards_sample_data_fli* for the index pattern (kibana_sample_data_fli* on Elasticsearch domains).

  26. For the action group, choose read.

  27. For Document level security, specify the following query:

    { "match": { "FlightDelay": true } }
  28. For field-level security, choose Exclude and specify FlightNum.

  29. For Anonymization, specify Dest.

  30. Choose Create.

  31. Choose Mapped users, Manage mapping. Then add the ARN for IAMLimitedUserRole as an external identity and choose Map.

  32. Return to the list of roles and choose opensearch_dashboards_user. Choose Mapped users, Manage mapping. Add the ARN for IAMLimitedUserRole as a backend role and choose Map.

  33. In a new, private browser window, navigate to Dashboards, sign in using limited-user, and then choose Explore on my own.

  34. Go to Dev Tools and run the default search:

    GET _search { "query": { "match_all": {} } }

    Note the permissions error. limited-user doesn't have permissions to run cluster-wide searches.

  35. Run another search:

    GET opensearch_dashboards_sample_data_flights/_search { "query": { "match_all": {} } }

    Note that all matching documents have a FlightDelay field of true, an anonymized Dest field, and no FlightNum field.

  36. In your original browser window, signed in as master-user, choose Dev Tools, and then perform the same searches. Note the difference in permissions, number of hits, matching documents, and included fields.