The AWS documentation on ElasticSearch access control talks about how to grant access to the ES domains subresources while preventing changes to the domain's configuration by creating an ES domain resource policy and setting the resource to the ES domain ARN followed by /*
. For example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/test-user"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/*"
}
]
}
In this example, test-user
is granted rights to perform actions on the ES domain subresources but not the ES domain configuration itself.
When provisioning an AWS ES Domain using CloudFormation, one can set the resource policy with the AccessPolicies property. There is no CloudFormation resource like AWS::Elasticsearch::DomainAccessPolicy
unfortunately and it appears that the only way to set a resource policy on an ES domain is with this property.
How can one take advantage of the types of policies recommended in the access control docs if there's now way to know the ES Domain ARN to use in the Resource
field, since the ES domain hasn't yet been created at the point where the access policy is defined?
I've tried referencing the DomainArn
attribute of the ES domain in the resource field of the Access Policy, but understandably that doesn't work since it creates circular dependency.
The only solution I've thought of so far is to just wait until AWS updates CloudFormation to include a AWS::Elasticsearch::DomainAccessPolicy
resource type.
The access policy attached to the ES domain does only grant access to this specific ElasticSearch domain. You should be able to safely use
"Resource": "*"
as it only affects the ES domain you created.