Amazon Elasticsearch - Kibana Access using AWS Cognito and Google Apps

aws_cognito_aes.md

Amazon Cognito for Amazon Elasticsearch Kibana access using SAML

That is a mouthful and the process could be clearer. doesn't help that there's a lot of outdated information and conflicting articles with links upon links pointing you in every which way but the right way.

I'll use Google Apps as a SAML provider for the purpose of this gist.

Overview of the steps

The process is triggered from the AES Console and required multiple steps to configure the IAM Roles and chosen IDP

• Create an IDP in IAM
  • Create provider with Type: SAML
  • Create an IAM role with permissions to AES and a trust policy specifying the IDP
  • Return to this step and upload the IDP metadata once the SAML App on the IDP side has been created

  The SAML APP in Google Apps can be created at this stage but since we require ACS URL and Entity ID it will be done after we get those from the Client App under the User Pool

• Create an AES Domain
• Modify the domain for Amazon Cognito auth
  • Requires Amazon ES service role that can Modify the Amazon Cognito service

  Amazon usually creates that for you but in case of issues, create a role with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cognito-idp:DescribeUserPool",
                "cognito-idp:CreateUserPoolClient",
                "cognito-idp:DeleteUserPoolClient",
                "cognito-idp:DescribeUserPoolClient",
                "cognito-idp:AdminInitiateAuth",
                "cognito-idp:AdminUserGlobalSignOut",
                "cognito-idp:ListUserPoolClients",
                "cognito-identity:DescribeIdentityPool",
                "cognito-identity:UpdateIdentityPool",
                "cognito-identity:SetIdentityPoolRoles",
                "cognito-identity:GetIdentityPoolRoles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": "cognito-identity.amazonaws.com"
                }
            }
        }
    ]
}

• Create a user pool
  • Choose email address or phone number (we're going to pass the user's email to AMZN Cognito)
  • Don't select any attributes as required (unless wanting to be very strict, don't see a benefit when there's multiple way to do it.)

  You cannot change the required attributes once the User pool have been created unless you use custom attributes

  • We will need to create an App Client this is usually done by AMZN ES when we enable authentication via the AES service

  For AES to create the for us we only create the User pool and move on to the Identity Pool

• Create an identity pool

  Requires two IAM roles [Unauthenticated Role and an Authenticated Role]

  • Under Authentication Providers > SAML Add the IDP from step 1

At this stage we should be able to go back to the AES console and click on Save changes and let Amazon finish the process of creating the client App and linking the User Pool and Identity Pool. this is also the stage that you can create users in AMZN Cognito and use the built-in user pool.
That will defeat the purpose though, since we don't want to create a username & password for hundreds of users nor do we want to manage separate pools of users.

• At this stage under the User Pool we will have an App Integration created by Amazon ES

  • Under App client settings > select the IDPs you want to enable, in our case the IDP we created earlier for Google Apps
  • Enable the implicit grant OAuth Flow
  • Remove any flow, scope or IDP you don't wish to use
  • Under Domain name we need to create a unique domain users will be redirected to for Authentication (you can use your own domain and cert)
  • Customize the APP and add a logo etc,. under UI Customization

• Using Google Apps Admin Console > Apps > SAML Apps and choose Amazon Web Services to pre-populate the app with some required settings (its fine to choose custom and do it yourself)

  Important: ACS URL and Entity ID are in the following format

  • ACS URL: https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse This is the Authentication domain under the Client App in AWS Cognito User Pool
  • Entity ID: urn:amazon:cognito:sp:<yourUserPoolID> This is the ID of the AWS Cognito User Pool
  • Name ID should be basic information and primary email the Name ID format set to EMAIL

• Example of an AES Domain policy allowing both IAM-Roles and IPs

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:<account_id>:domain/avanan/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/8",
            "10.3.0.0/16",
            "192.168.0.0/16",
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account_id>:role/<custom_role>"
      },
      "Action": "es:ESHttp*",
      "Resource": "arn:aws:es:us-east-1:<account_id>:domain/<domain_name>/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account_id>:role/Cognito_kibanaAuth_Role"
      },
      "Action": "es:ESHttp*",
      "Resource": "arn:aws:es:us-east-1:<account_id>:domain/<domain_name>/*"
    }
  ]
}

Thank you for writing this, it really helped me.