Use identity-based policy for access to OpenSearch domain



My question is regarding the access/resource-based policy you set on OpenSearch domain versus the identity-based policy that e.g., is attached to a Lambda's execution role.

I want to control access to my OpenSearch domain solely by attaching permissions to the identity-based policy that are used by a Lambda's execution role.

I'm using CDK to create the infrastructure and permissions, so I use the grantReadIndex, grantRead, etc. to allow Lambdas to call the OpenSearch domain. The grantRead, grantReadIndex, etc., does only update the policies attached to the Lambda's execution role, and not the access policy of OpenSearch. Restricting using principals in the OpenSearch's access policy does not fit with my current setup in CDK, as there is no way to reference the Lambda's execution role from the OpenSearch construct.

Looking at the documentation regarding When policies collide I can identify the requirement needed for my scenario of controlling access solely by identity-based policy: I need the resource-based policy, which in this case is OpenSearch's access policy, to neither allow nor deny the request, as it will then evaluate the identify-based policy.

Enter image description here

Now to the point. I can't leave OpenSearch's access policy empty, as that is not allowed. I can use the option "Do not set domain level access policy", but that actually sets a policy that denies all request, which will deny all requests even if the identity-based policy allows it.

Enter image description here

Leaving the "Allow" statement without a condition will allow any Lambda with an attached policy that does not include a deny statement with OpenSearch permissions to call the OpenSearch statement

Enter image description here

As a workaround, I can set an "Allow" statement in the OpenSearch access policy with a condition that none of the Lambda's calling the OpenSearch domain will fulfil. This means that the OpenSearch's access policy neither allow nor deny the request, and it will evaluate the identify-based policy, which is what I want.

Is there any other solution to my problem? That does not include adding a condition to access policy just to ensure we neither allow nor deny the request, or adding the Lambda's execution role as principals because of my CDK setup.

1 Answer


Firstly, thank you for sharing your issue in detail.

As you also mentioned, the recommended way would be to set an "Allow" statement in the OpenSearch access policy which allow a IAM User/ Role in the condition that if you have for your existing lambda or other service.

There are other not recommended workarounds i.e., using a proxy server infront of Opensearch service or set resource based policy to Black which can be done using the following command :-

aws opensearch update-domain-config --domain-name fgac-env --access-policies ""

Note :- This way would come under Neither allowed nor denied in the resource-based policy. However, next time when you try to update any security configuration using UI it will throw an error and the way to update is using CLI/ CDK

I suggest you to reachout to AWS Support Engineering team and according to your usecase they will be able to help you with customer solution according to security enforced for your Opensearch cluster.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions