How do I assign read permissions to users who access Amazon Cognito’s user pools with OpenSearch?

4 minute read

I don’t want all my users in Amazon Cognito to have full access to the user pools when they use the OpenSearch dashboards.

Short Description

Restricting OpenSearch data to read permissions at user level makes sure that the data remains secure, with access granted only to authorized users. Read permissions allow users to only view or read the data that OpenSearch indexed. Restricted access prevents the users from modifying, deleting, or adding any data to the OpenSearch dashboard.

Resolution

When FGAC isn't activated on your domain

When you don't have fine-grained access control (FGAC) on your OpenSearch domain, use the domain access policy of the OpenSearch cluster to restrict access. This gives read-only access to your Amazon Cognito users. Set the EsshttpGet permissions to the role associated with the Amazon Cognito sign-in.

Example GET Domain Access Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account-id>:role/Cognito_<identity-pool-name>Auth_Role"
      },
      "Action": "es:ESHttpGet",
      "Resource": "arn:aws:es:<region>:<account-id>:domain/<opensearch-domain-name>/"
    }
  ]
}

Note: Replace <identity-pool-name> with your Amazon Cognito identity pool name and <opensearch-domain-name> with your OpenSearch domain name.

For more information, see Configuring a domain to use Amazon Cognito authentication.

After you apply the policy, test it. Send a signed request to your domain. You can now perform only GET operations on the domain.

When FGAC is activated on your OpenSearch cluster

Follow these steps:

Log in to the Amazon Cognito console.
Choose your user pool to open its configuration. Then, choose Create user.
Create a user named limited-user.
Note: You can use any name that you want. This name is used just to identify the read-only users.
Create an AWS Identity and Access management (IAM) role for the limited-user (for example, LimitedUserRole). As a primary user, use this role to assign limited access to certain users. For more information on setting up an IAM role, see Creating a role to delegate permissions to an AWS service.

Assign this trusted policy to the LimitedUserRole:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com :aud": "<identity-pool-id>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com :amr": "authenticated"
        }
      }
    }
  ]
}

Note: Replace <identity-pool-id> with your Amazon Cognito identity pool ID.

Create a custom inline policy that gives only read permissions to the OpenSearch domain. Refer to this example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOpenSearchReadAccess",
      "Effect": "Allow",
      "Action": [
        "es:ESHttpGet"
      ],
      "Resource": "arn:aws:es:<region>:<account-id>:domain/"
    }
  ]
}

Create a group called limited-user-group in Amazon Cognito. Then, attach the LimitedUserRole IAM role to the newly created group. For more information, see Adding groups to a user pool.
Choose limited-user-group. Then, add the user limited-user you created earlier to this group. Continue to add as many users as you need to this group. Members of this group have read-only permissions to the OpenSearch dashboard.

Map the limited-user to a role in the OpenSearch dashboard

Log in to the OpenSearch dashboard as the primary user. Choose Security, and then choose Roles. You can either create a new role in the OpenSearch dashboard or map the limited-user role with an existing role in the OpenSearch dashboard.
Note: You can also try to use the readall_and_monitor or the readall inbuilt role. The permission set that you use depends on your use case.
Select the role from the OpenSearch dashboard. Then, map the limited-user role to it.
Log in as a limited user. Note that you can't perform any write operations on the OpenSearch dashboard.

Topics

Serverless Analytics

Relevant content

Permission problem with OpenSearch to Athena connector
Accepted Answer
lorek-naviparking
asked 8 months ago
What permissions are required to grant for read-only workbench on OpenSearch
Sarath
asked 9 months ago
error when assigning permission sets to user group
seargex
asked 7 months ago
How to grant users read only permission to Athena
Accepted Answer
Kyle_T
asked 4 years ago
assign lake formation tags permissions to users
Krishna
asked a year ago
How do I grant Full Access permissions to another user in WorkMail?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?
AWS OFFICIALUpdated a year ago
How can I allow Amazon Redshift database regular users permission to view data in system tables from other users for my cluster?
AWS OFFICIALUpdated a year ago
How do I integrate Amazon SES with an Amazon Cognito user pool?
AWS OFFICIALUpdated a year ago
How to customize audit logs in OpenSearch to see which queries were run by users?
EXPERT
Cathy W
published 2 months ago